[SOLVED] Disable promiscous mode on br0?

Message

Kellerkalt · Post by **Kellerkalt** » Sat May 03, 2025 5:25 pm

I have successfully setup single NIC bridge mode as described here:
https://wiki.gentoo.org/wiki/Network_bridge#OpenRC

I am using it for a few libvirt/Qemu VMs that I want directly exposed to the LAN. I do also have virbr0 for a few VMs on their own private VLAN.

RKHunter has noticed that br0 is in promiscuous mode so I disabled it with this command:

Code: Select all

ip link set br0 promisc off

The VM exposed to the LAN and using br0 is still functioning after turning promiscuous mode off on br0, so I'm left wondering if promiscuous mode is actually needed. I didn't specifically enable promiscuous mode on br0, it just happened after setting it up per the wiki and RKHunter happened to notice.

Are there any drawbacks to disabling promiscuous mode on br0 and if not, how do I disable it on startup? Do I put a line in /etc/conf.d/net and if so, what would that setting/line look like?

This is what my /etc/conf.d/net currently looks like:

Code: Select all

config_enp8s0="null"
bridge_br0="enp8s0"

config_br0="192.168.1.2 netmask 255.255.255.0"
routes_br0="default via 192.168.1.1"

bridge_forward_delay_br0=0
bridge_hello_time_br0=1000

Thanks,
Kellerkalt

grknight · Post by **grknight** » Sat May 03, 2025 8:38 pm

This looks difficult to do with netifrc bridges as promisc is specifically enabled with every bridge on creation just before fully bringing the interface up.

Kellerkalt · Post by **Kellerkalt** » Wed May 28, 2025 1:23 am

It feels like a complete and ugly hack, and please let me know if I shouldn't do this for security reasons, but I put this in root's crontab:

Code: Select all

@reboot /usr/sbin/sleep 30 ; /usr/sbin/ip link set br0 promisc off

And it seems to be working well.