Hi,

Thanks for reporting this!
I managed to reproduce the issue - it seems the code currently does not
account for the policy of an ebtables chain (see [0])

Please open a bug report over at https://bugzilla.proxmox.com 

as a mitigation until this is fixed you could add a final rule which drops
all packets to your ruleset:
```
ebtables -A test -j DROP
```

kind regards,
stoiko

[0]
https://git.proxmox.com/?p=pve-firewall.git;a=blob;f=src/PVE/Firewall.pm;h=a2105e5410590b30305bd6941ddcc8bfe40159da;hb=HEAD#l4166

On Fri, 29 May 2020 15:46:26 +0200
José Manuel Giner <j...@ginernet.com> wrote:

> Seems it's a bug "fixed", but is still here:
> 
> https://git.proxmox.com/?p=pve-firewall.git;a=commit;h=84025e9943d236414fbd869b89cb2e8e17af3208
> 
> 
> 
> 
> On 29/05/2020 14:24, José Manuel Giner wrote:
> > Any info?
> > 
> > 
> > On 28/05/2020 18:07, José Manuel Giner wrote:  
> >> Hello,
> >>
> >> when I create a ebtables chain in a HN with DROP policy, after some 
> >> seconds is automatically modified to ACCEPT
> >>
> >> ebtables -N test
> >> ebtables -P test DROP
> >>
> >> some seconds later:
> >>
> >> #ebtables -L
> >> Bridge chain: test, entries: 0, policy: ACCEPT
> >>
> >> I've tried to disable "ebtables" on the datacenter, but nothing seems 
> >> to affect.
> >>
> >> Any idea?
> >>
> >> Thanks!
> >>
> >>  
> >   
> 


_______________________________________________
pve-user mailing list
pve-user@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Reply via email to