Re: nwfilter issue with new ebtables

On 11/16/20 2:01 AM, Christian Ehrhardt wrote: > Hi, > I have last week discussed breakage in nwfilter usage on IRC > > <filterref filter='clean-traffic'> > <parameter name='CTRL_IP_LEARNING' value='dhcp'/> > </filterref> > virsh start <guest> > error: Failed to start domain <guest> > error: internal error: applyDHCPOnlyRules failed - spoofing not protect > > With debug in the logs enabled I got confirmation by Daniel (thanks!) > that the command sequence libvirt issued looked kind of "normal". > > Hereby I wanted to let you know that some further debugging identified > a part of the sequence that libvirt issues as being broken in recent > ebtables versions. > > # ebtables --concurrent -t nat -N testrule3 > # ebtables --concurrent -t nat -E testrule3 testrule3-renamed > ebtables v1.8.6 (nf_tables): Chain 'testrule3' doesn't exists So you're saying you can just run those two commands together and always get the error? (assuming that "testrule3 and testrule3-renamed don't exist beforehand)

From your description it sounds like maybe the error doesn't occur when there is a pause between the two commands - is that right, or am I assuming too much?

I tried the above commands (well, I put the two commands together on a single line separated by ";") on a Fedora 33 system and a RHEL 8.3.0 system, and both of them completed successfully. This is the fedora ebtables -V: ebtables v2.0.11 (legacy) (December 2011)

And this is the ebtables -V on RHEL 8.3.0: ebtables 1.8.4 (nf_tables)

(I don't have any idea how the version's relate to each other for legacy ebtables vs. the nf_tables version) > This led to upstream ebtables bug [1] - for now just FYI in case you > want/need to subscribe for your own tracking. > > [1]: https://bugzilla.netfilter.org/show_bug.cgi?id=1481 >