On Mon, Nov 16, 2020 at 4:24 PM Laine Stump <laine@redhat.com> wrote:
On 11/16/20 2:01 AM, Christian Ehrhardt wrote:
Hi, I have last week discussed breakage in nwfilter usage on IRC
<filterref filter='clean-traffic'> <parameter name='CTRL_IP_LEARNING' value='dhcp'/> </filterref> virsh start <guest> error: Failed to start domain <guest> error: internal error: applyDHCPOnlyRules failed - spoofing not protect
With debug in the logs enabled I got confirmation by Daniel (thanks!) that the command sequence libvirt issued looked kind of "normal".
Hereby I wanted to let you know that some further debugging identified a part of the sequence that libvirt issues as being broken in recent ebtables versions.
# ebtables --concurrent -t nat -N testrule3 # ebtables --concurrent -t nat -E testrule3 testrule3-renamed ebtables v1.8.6 (nf_tables): Chain 'testrule3' doesn't exists
So you're saying you can just run those two commands together and always get the error? (assuming that "testrule3 and testrule3-renamed don't exist beforehand)
yes
From your description it sounds like maybe the error doesn't occur when there is a pause between the two commands - is that right, or am I assuming too much?
Assuming too much, it happens when libvirt issues them at "computer speed" as well as when I run them manually at "human speed". I have not tried waiting an extra long time in between thou ...
I tried the above commands (well, I put the two commands together on a single line separated by ";") on a Fedora 33 system and a RHEL 8.3.0 system, and both of them completed successfully.
This is the fedora ebtables -V: ebtables v2.0.11 (legacy) (December 2011)
Those worked on Ubuntu as well in older releases.
And this is the ebtables -V on RHEL 8.3.0: ebtables 1.8.4 (nf_tables)
That since 1.8.5 is what is broken for us at the moment. Thanks for cross checking Laine!
(I don't have any idea how the version's relate to each other for legacy ebtables vs. the nf_tables version)
This led to upstream ebtables bug [1] - for now just FYI in case you want/need to subscribe for your own tracking.
-- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd