Reviewed: https://review.opendev.org/c/openstack/neutron/+/898729 Committed: https://opendev.org/openstack/neutron/commit/1879d925330af5598a105a8893ab6cfda9dc37e6 Submitter: "Zuul (22348)" Branch: master
commit 1879d925330af5598a105a8893ab6cfda9dc37e6 Author: Rodolfo Alonso Hernandez <[email protected]> Date: Mon Oct 16 00:09:50 2023 +0000 "ebtables-nft" MAC rule deletion failing "ebtables-nft" is failing to delete the rule filtering by MAC address: Bridge chain: neutronMAC-test-veth024379, entries: 2, policy: DROP -i test-veth024379 --among-src fa:16:3e:47:87:0 -j RETURN -j DROP A workaround for this issue, that works with both "ebtables-nft" and "ebtables-legacy", is to flush the table and recreate the DROP rule. The MAC spoofing tables have two rules: the one filtering by MAC address and the default DROP rule. This workaround has the same effect as just deleting the filtering rule. Closes-Bug: #2038541 Change-Id: I38bd016c35d7a76d88c6eceec797d1cea84c45d1 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2038541 Title: LinuxBridgeARPSpoofTestCase functional tests fails with latest jammy kernel 5.15.0-86.96 Status in neutron: Fix Released Bug description: Tests fails while running ebtables(['-D', chain] + rule.split()) with:- 2023-10-05 12:09:19.307 41358 ERROR neutron.agent.linux.utils [None req-defd197a-c4e2-4761-a4cc-cc960a3ff71a - - - - - -] Exit code: 4; Cmd: ['ip', 'netns', 'exec', 'test-b58b5cf9-5018-4801-aacb-8b00fae3fe37', 'ebtables', '-t', 'nat', '--concurrent', '-D', 'neutronMAC-test-veth09e6dc', '-i', 'test-veth09e6dc', '--among-src', 'fa:16:3e:ac:fd:b6', '-j', 'RETURN']; Stdin: ; Stdout: ; Stderr: ebtables v1.8.7 (nf_tables): RULE_DELETE failed (Invalid argument): rule in chain neutronMAC-test-veth09e6dc 2023-10-05 12:09:29.576 41358 ERROR neutron.agent.linux.utils [None req-defd197a-c4e2-4761-a4cc-cc960a3ff71a - - - - - -] Exit code: 4; Cmd: ['ip', 'netns', 'exec', 'test-b58b5cf9-5018-4801-aacb-8b00fae3fe37', 'ebtables', '-t', 'nat', '--concurrent', '-D', 'neutronMAC-test-veth09e6dc', '-i', 'test- veth09e6dc', '--among-src', 'fa:16:3e:ac:fd:b6', '-j', 'RETURN']; Stdin: ; Stdout: ; Stderr: ebtables v1.8.7 (nf_tables): RULE_DELETE failed (Invalid argument): rule in chain neutronMAC-test-veth09e6dc 2023-10-05 12:09:50.099 41358 ERROR neutron.agent.linux.utils [None req-defd197a-c4e2-4761-a4cc-cc960a3ff71a - - - - - -] Exit code: 4; Cmd: ['ip', 'netns', 'exec', 'test-b58b5cf9-5018-4801-aacb-8b00fae3fe37', 'ebtables', '-t', 'nat', '--concurrent', '-D', 'neutronMAC-test-veth09e6dc', '-i', 'test- veth09e6dc', '--among-src', 'fa:16:3e:ac:fd:b6', '-j', 'RETURN']; Stdin: ; Stdout: ; Stderr: ebtables v1.8.7 (nf_tables): RULE_DELETE failed (Invalid argument): rule in chain neutronMAC-test-veth09e6dc The new kernel includes below changes which have triggered this, described in https://launchpad.net/ubuntu/+source/linux/5.15.0-86.96:- - netfilter: nf_tables: disallow element updates of bound anonymous sets - netfilter: nf_tables: reject unbound anonymous set before commit phase - netfilter: nf_tables: reject unbound chain set before commit phase - netfilter: nf_tables: disallow updates of anonymous sets Following two test fails:- - test_arp_protection_update - test_arp_fails_incorrect_mac_protection To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2038541/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
