nwfilter issue with new ebtables

Laine Stump laine at redhat.com
Tue Nov 17 03:12:43 UTC 2020 

On 11/16/20 10:36 AM, Daniel P. Berrangé wrote:
> On Mon, Nov 16, 2020 at 10:23:32AM -0500, Laine Stump wrote:
>> On 11/16/20 2:01 AM, Christian Ehrhardt wrote:
>>> Hi,
>>> I have last week discussed breakage in nwfilter usage on IRC
>>>
>>>      <filterref filter='clean-traffic'>
>>>        <parameter name='CTRL_IP_LEARNING' value='dhcp'/>
>>>      </filterref>
>>> virsh start <guest>
>>>     error: Failed to start domain <guest>
>>>     error: internal error: applyDHCPOnlyRules failed - spoofing not protect
>>>
>>> With debug in the logs enabled I got confirmation by Daniel (thanks!)
>>> that the command sequence libvirt issued looked kind of "normal".
>>>
>>> Hereby I wanted to let you know that some further debugging identified
>>> a part of the sequence that libvirt issues as being broken in recent
>>> ebtables versions.
>>>
>>>     # ebtables --concurrent -t nat -N testrule3
>>>     # ebtables --concurrent -t nat -E testrule3 testrule3-renamed
>>>     ebtables v1.8.6 (nf_tables): Chain 'testrule3' doesn't exists
>>
>>
>> So you're saying you can just run those two commands together and always get
>> the error? (assuming that "testrule3 and testrule3-renamed don't exist
>> beforehand)
>>
>>
>>  From your description it sounds like maybe the error doesn't occur when
>> there is a pause between the two commands - is that right, or am I assuming
>> too much?
>>
>>
>> I tried the above commands (well, I put the two commands together on a
>> single line separated by ";") on a Fedora 33 system and a RHEL 8.3.0 system,
>> and both of them completed successfully.
> 
> I tried it on Fedora 33 and it failed :-)

Strange. Both of my Fedora 33 systems are using iptables-1.8.5 and 
ebtables-legacy-2.0.11. Is this because they were upgraded rather than 
fresh installs? That seems kind of... bad. :-/ Whatever the case, I 
should really remedy that.

> 
> It looks like the issue is with iptables-nft impl
> 
>> This is the fedora ebtables -V: ebtables v2.0.11 (legacy) (December 2011)
>>
>>
>> And this is the ebtables -V on RHEL 8.3.0: ebtables 1.8.4 (nf_tables)
> 
> I guess it means 1.8.5   iptables-nft is broken. I filed a Fedora Bug
> too which should get more direct attention of the person who's likely
> to fix this.
> 
>    https://bugzilla.redhat.com/show_bug.cgi?id=1898130
> 
> 
> Regards,
> Daniel
>

More information about the libvir-list mailing list