ebtables can not rename just created chain
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iptables |
Unknown
|
Unknown
|
|||
iptables (Debian) |
Fix Released
|
Unknown
|
|||
iptables (Fedora) |
Fix Committed
|
High
|
|||
iptables (Ubuntu) |
Fix Released
|
Undecided
|
Alex Murray | ||
Groovy |
Fix Released
|
Undecided
|
Alex Murray | ||
Hirsute |
Fix Released
|
Undecided
|
Alex Murray |
Bug Description
[SRU]
* Changes that went into 1.8.5 ave broken the errno handling.
In particular loading extensions. Due to that it has become
impossible to rename rules.
* Upstream has created a fix and this backports that change to
Ubuntu
=> http://
[Test Case]
* # ebtables -t nat -N foo
# ebtables -t nat -E foo bar
ebtables v1.8.5 (nf_tables): Chain 'foo' doesn't exists
* with the fix the above command sequence works
[Where problems could occur]
* The change moved code from nft_chain_
therefore in theory any ebtables/xtables subcommand could be affected.
Yet what it does is just resetting the error code in a better place, so
while it "could" affect every subcommand it should (tm) not do so.
[Other Info]
* n/a
---
Hi,
I have an issue with ebtables that affects libvirt.
While initially found in hirsute I had to realize this is broken in
Groovy and even Bionic (might be a different reason back then) as well right now.
But working in Focal (witch matches my memory of it being good before [1]).
I was isolating the commands that libvirt runs (identical between Focal
and Hirsute) to find a simplified trigger. Gladly I found one that leaves
libvirt and other components out of the equation.
The following works on focal, but fails on the other releases.
Note: I checked which tool is in use and in both cases it is xtables-nft-multi.
/usr/sbin/ebtables -> /etc/alternativ
/etc/alternativ
/usr/sbin/
So I converted the libvirt issued commands into xtables-nft-multi just to be
sure in case a system to compare has other alternatives set.
Focal (Good):
/usr/sbin/
/usr/sbin/
<system is happy>
Groovy/Hirsute (Fail):
/usr/sbin/
/usr/sbin/
ebtables v1.8.5 (nf_tables): Chain 'testrule3' doesn't exists
Try `ebtables -h' or 'ebtables --help' for more information.
What might be the root cause for this?
-- Old test instructions --
As I said I was tracking a fail in libvirt so the test instructions initially
were around that:
# the following us done as 2nd level guest (to not mess with the host,
# but works on bare metal jst as much)
uvt-kvm create --host-passthrough --memory 2048 --cpu 4 --disk 16 --password=ubuntu hirsute-kvm release=hirsute arch=amd64 label=daily
# On guest then
sudo apt update
sudo apt install uvtool uvtool-libvirt
uvt-simplestrea
uvt-kvm create --disk 5 --machine-type ubuntu --password=ubuntu hirsute-2nd-lvm release=hirsute arch=amd64 label=daily
uvt-kvm wait hirsute-2nd-lvm
virsh shutdown hirsute-2nd-lvm
virsh edit hirsute-2nd-lvm
# add this to the network
<filterref filter=
<parameter name='CTRL_
</filterref>
virsh start hirsute-2nd-lvm
error: Failed to start domain hirsute-
error: internal error: applyDHCPOnlyRules failed - spoofing not protected!
FYI: Get helpful log details with these in /etc/libvirt/
log_filters=
log_outputs=
-- --
[1]: https:/
Changed in iptables (Fedora): | |
importance: | Unknown → High |
status: | Unknown → Confirmed |
description: | updated |
Changed in iptables (Ubuntu Groovy): | |
status: | New → In Progress |
Changed in iptables (Fedora): | |
status: | Confirmed → Fix Committed |
Changed in iptables (Debian): | |
status: | Unknown → Fix Released |
Status changed to 'Confirmed' because the bug affects multiple users.