The issue was confirmed and a fix now committed to the upstream repository.
=>
http://git.netfilter.org/iptables/commit/?id=55b7c71dce7144f4dc0297c17abf0f04879ee247
@Alex will you (as usual) do the upload of that - will eventually be
Groovy and Hirsute that needs this.
** Also affects: iptables (Ubuntu Groovy)
Importance: Undecided
Status: New
** Description changed:
+ [SRU]
+
+ * Changes that went into 1.8.5 ave broken the errno handling.
+ In particular loading extensions. Due to that it has become
+ impossible to rename rules.
+
+ * Upstream has created a fix and this backports that change to
+ Ubuntu
+ =>
http://git.netfilter.org/iptables/commit/?id=55b7c71dce7144f4dc0297c17abf0f04879ee247
+
+ [Test Case]
+
+ * # ebtables -t nat -N foo
+ # ebtables -t nat -E foo bar
+ ebtables v1.8.5 (nf_tables): Chain 'foo' doesn't exists
+
+ * with the fix the above command sequence works
+
+ [Where problems could occur]
+
+ * The change moved code from nft_chain_user_rename to do_commandeb and
+ therefore in theory any ebtables/xtables subcommand could be affected.
+ Yet what it does is just resetting the error code in a better place, so
+ while it "could" affect every subcommand it should (tm) not do so.
+
+
+ [Other Info]
+
+ * n/a
+
+
+ ---
+
Hi,
I have an issue with ebtables that affects libvirt.
While initially found in hirsute I had to realize this is broken in
Groovy and even Bionic (might be a different reason back then) as well right
now.
But working in Focal (witch matches my memory of it being good before [1]).
I was isolating the commands that libvirt runs (identical between Focal
and Hirsute) to find a simplified trigger. Gladly I found one that leaves
libvirt and other components out of the equation.
The following works on focal, but fails on the other releases.
Note: I checked which tool is in use and in both cases it is
xtables-nft-multi.
/usr/sbin/ebtables -> /etc/alternatives/ebtables*
/etc/alternatives/ebtables -> /usr/sbin/ebtables-nft*
/usr/sbin/ebtables-nft -> xtables-nft-multi*
So I converted the libvirt issued commands into xtables-nft-multi just to be
sure in case a system to compare has other alternatives set.
Focal (Good):
/usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -N testrule3
/usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -E testrule3
testrule3-renamed
<system is happy>
Groovy/Hirsute (Fail):
/usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -N testrule3
/usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -E testrule3
testrule3-renamed
ebtables v1.8.5 (nf_tables): Chain 'testrule3' doesn't exists
Try `ebtables -h' or 'ebtables --help' for more information.
What might be the root cause for this?
-
-- Old test instructions --
As I said I was tracking a fail in libvirt so the test instructions initially
were around that:
-
# the following us done as 2nd level guest (to not mess with the host,
# but works on bare metal jst as much)
uvt-kvm create --host-passthrough --memory 2048 --cpu 4 --disk 16
--password=ubuntu hirsute-kvm release=hirsute arch=amd64 label=daily
# On guest then
sudo apt update
sudo apt install uvtool uvtool-libvirt
uvt-simplestreams-libvirt --verbose sync --source
http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=hirsute
uvt-kvm create --disk 5 --machine-type ubuntu --password=ubuntu
hirsute-2nd-lvm release=hirsute arch=amd64 label=daily
uvt-kvm wait hirsute-2nd-lvm
virsh shutdown hirsute-2nd-lvm
virsh edit hirsute-2nd-lvm
# add this to the network
- <filterref filter='clean-traffic'>
- <parameter name='CTRL_IP_LEARNING' value='dhcp'/>
- </filterref>
+ <filterref filter='clean-traffic'>
+ <parameter name='CTRL_IP_LEARNING' value='dhcp'/>
+ </filterref>
virsh start hirsute-2nd-lvm
- error: Failed to start domain hirsute-2nd-nwfilter
- error: internal error: applyDHCPOnlyRules failed - spoofing not protected!
+ error: Failed to start domain hirsute-2nd-nwfilter
+ error: internal error: applyDHCPOnlyRules failed - spoofing not protected!
FYI: Get helpful log details with these in /etc/libvirt/libvirtd.conf
log_filters="1:util.firewall"
log_outputs="1:syslog:libvirtd"
-- --
[1]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1758037
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904192
Title:
ebtables can not rename just created chain
To manage notifications about this bug go to:
https://bugs.launchpad.net/iptables/+bug/1904192/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
