Those are set bynet.bridge.bridge-nf-call-arptables
net.bridge.bridge-nf-call-ip6tables
net.bridge.bridge-nf-call-iptables
/etc/sysctl.d/pve.conf since 2012 https://git.proxmox.com/?p=pve-cluster.git;a=commitdiff;h=501839cac97f68d4dcba21df6fb3797b976e9e56 due to causing performance regressions on many guests, bridge separation should rather use a real separating technology like VLAN or VXLAN, see the following mail for some detailshttps://lists.proxmox.com/pipermail/pve-devel/2012-March/002418.html
(other distros like RHEL was taken as argument that this was accepted and working default behavior)
If you want to apply rules directly on the bridge, not the actual tapX or ethX devices like pve-firewall does, then you can just drop those lines from that config (or add an override in a lexical later sorted filename to set them to 1).
This could be mentioned in the docs, but besides that I see no issue here - the PVE firewall works after all and other do not suddenly stop working due to this, this is set on boot (so any simple test would show that the setting is off).
 
	 
	 
 
		 
 
		