Hi, Thanks for reporting this! I managed to reproduce the issue - it seems the code currently does not account for the policy of an ebtables chain (see [0])
Please open a bug report over at https://bugzilla.proxmox.com as a mitigation until this is fixed you could add a final rule which drops all packets to your ruleset: ``` ebtables -A test -j DROP ``` kind regards, stoiko [0] https://git.proxmox.com/?p=pve-firewall.git;a=blob;f=src/PVE/Firewall.pm;h=a2105e5410590b30305bd6941ddcc8bfe40159da;hb=HEAD#l4166 On Fri, 29 May 2020 15:46:26 +0200 José Manuel Giner <j...@ginernet.com> wrote: > Seems it's a bug "fixed", but is still here: > > https://git.proxmox.com/?p=pve-firewall.git;a=commit;h=84025e9943d236414fbd869b89cb2e8e17af3208 > > > > > On 29/05/2020 14:24, José Manuel Giner wrote: > > Any info? > > > > > > On 28/05/2020 18:07, José Manuel Giner wrote: > >> Hello, > >> > >> when I create a ebtables chain in a HN with DROP policy, after some > >> seconds is automatically modified to ACCEPT > >> > >> ebtables -N test > >> ebtables -P test DROP > >> > >> some seconds later: > >> > >> #ebtables -L > >> Bridge chain: test, entries: 0, policy: ACCEPT > >> > >> I've tried to disable "ebtables" on the datacenter, but nothing seems > >> to affect. > >> > >> Any idea? > >> > >> Thanks! > >> > >> > > > _______________________________________________ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user