"ebtables-nft" returns error 4 when a new chain is created

Bug #1922892 reported by Rodolfo Alonso
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Rodolfo Alonso

Bug Description

When using "ebtables-nft", an intermediate step between the legacy tool "ebtables" and the native implementation of "nft", an error occurs when a new chain is added.

Linux Bridge ARP protection creates two chains per interface, one to prevent the ARP spoofing (filtering the APR packets by the interface and IP addresses) and another one to prevent the MAC spoofing (filtering by the interface and the MAC addresses).

Those chains have a default DROP rule.

When a new chain is added and no rule is added, the list command returns the following error [1]:
  Bridge chain: a1, entries: 0, policy: DROP
  ebtables v1.8.4 (nf_tables): RULE_DELETE failed (No such file or directory): rule in chain a1

The native "nft" command correctly list all chains and rules, including the default DROP policy [1].

In order to avoid this error, every time a new table is created, a default DROP rule (redundant with the default policy) can be installed at the end of the chain. That won't interfere with the packet filtering or reduce the performance.

The "ebtable-nft" command should also watch for the ProcessExecutionError.returncode = 4, that is returned when listing a chain without rules.

[1]http://paste.openstack.org/show/804237/

Miguel Lavalle (minsel)
Changed in neutron:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :
Changed in neutron:
assignee: nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/785177
Committed: https://opendev.org/openstack/neutron/commit/0a931391d8990f3e654b4bfda24ae4119c609bbf
Submitter: "Zuul (22348)"
Branch: master

commit 0a931391d8990f3e654b4bfda24ae4119c609bbf
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Apr 7 13:16:21 2021 +0000

    Make ARP protection commands compatible with "ebtables-nft"

    "nftables" compatible binary, "ebtables-nft", is not 100% compatible
    with the legacy API, as reported in LP#1922892.

    This patch fixes the following issues when using "ebtables-nft" (while
    keeping compatibility with legacy binary):
    - When a new chain is created, a default DROP rule is added at the end
      of the chain (append). This will prevent the error code 4 when the
      chain is listed.
    - The chain rules are added at the begining of the chain (insert),
      before the default DROP rule. This will prioritize the port rules.
    - The MAC rules are cleaned before the new ones are added. That will
      prevent the deletion of any new needed rule, now added after the
      deletion.
    - The "ebtables" command will retry on error code 4. This is the
      error returned when the chains are listed and no rule is present
      in a new created chain (reporeted in LP#1922892).

    This code is backwards compatible, that means it works with the legacy
    "ebtables" binary; this is currently installed in the Neutron CI [1].
    In order to test with the new binary, "ebtables-nft", two new CI jobs
    are added to the periodic queue [2].

    [1]https://github.com/openstack/neutron/blob/1ad9ca56b07ffdc9f7e0bc6a62af61961b9128eb/roles/legacy_ebtables/tasks/main.yaml
    [2]https://review.opendev.org/c/openstack/neutron/+/785144

    Closes-Bug: #1922892
    Related-Bug: #1508155

    Change-Id: I9463b000f6f63e65aaf91d60b30f6c92c01e3baf

Changed in neutron:
status: Confirmed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/785917
Committed: https://opendev.org/openstack/neutron/commit/dd40bac8b54a7f1c05a573d915c705b0539f0d8f
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit dd40bac8b54a7f1c05a573d915c705b0539f0d8f
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Apr 7 13:16:21 2021 +0000

    Make ARP protection commands compatible with "ebtables-nft"

    "nftables" compatible binary, "ebtables-nft", is not 100% compatible
    with the legacy API, as reported in LP#1922892.

    This patch fixes the following issues when using "ebtables-nft" (while
    keeping compatibility with legacy binary):
    - When a new chain is created, a default DROP rule is added at the end
      of the chain (append). This will prevent the error code 4 when the
      chain is listed.
    - The chain rules are added at the begining of the chain (insert),
      before the default DROP rule. This will prioritize the port rules.
    - The MAC rules are cleaned before the new ones are added. That will
      prevent the deletion of any new needed rule, now added after the
      deletion.
    - The "ebtables" command will retry on error code 4. This is the
      error returned when the chains are listed and no rule is present
      in a new created chain (reporeted in LP#1922892).

    This code is backwards compatible, that means it works with the legacy
    "ebtables" binary; this is currently installed in the Neutron CI [1].
    In order to test with the new binary, "ebtables-nft", two new CI jobs
    are added to the periodic queue [2].

    [1]https://github.com/openstack/neutron/blob/1ad9ca56b07ffdc9f7e0bc6a62af61961b9128eb/roles/legacy_ebtables/tasks/main.yaml
    [2]https://review.opendev.org/c/openstack/neutron/+/785144

    Closes-Bug: #1922892
    Related-Bug: #1508155

    Change-Id: I9463b000f6f63e65aaf91d60b30f6c92c01e3baf
    (cherry picked from commit 0a931391d8990f3e654b4bfda24ae4119c609bbf)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/785144
Committed: https://opendev.org/openstack/neutron/commit/f7d2c3608d1fa6cbc8c562f9121ec0f0d80c3962
Submitter: "Zuul (22348)"
Branch: master

commit f7d2c3608d1fa6cbc8c562f9121ec0f0d80c3962
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Apr 7 10:56:09 2021 +0000

    Add periodic jobs to test "nftables" binaries

    In order to check how the "nftables" binaries work with Neutron, two
    new jobs have been added to the periodic queue:
    - neutron-tempest-plugin-scenario-linuxbridge-nftables
    - neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid-nftables

    In those two jobs, the binaries for "iptables", "ip6tables",
    "arptables" and "ebtables" are replaced with the "nftables"
    counterparts; by default, newer operating systems use the "nftables"
    versions, providing the legacy API to the user but executing the
    new packet handling in Netfilter.

    Change-Id: Idec6d480886298f6d71b1dd649c9255ee6b7bebb
    Related-Bug: #1508155
    Related-Bug: #1922892

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by "Rodolfo Alonso <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/775413
Reason: tested patches already merged

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 18.1.0

This issue was fixed in the openstack/neutron 18.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/neutron/+/804056

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/neutron/+/804057

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/neutron/+/804058

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/804056
Committed: https://opendev.org/openstack/neutron/commit/fafa5dacd5057120562184a734e7345e7c0e9639
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit fafa5dacd5057120562184a734e7345e7c0e9639
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Apr 7 13:16:21 2021 +0000

    Make ARP protection commands compatible with "ebtables-nft"

    "nftables" compatible binary, "ebtables-nft", is not 100% compatible
    with the legacy API, as reported in LP#1922892.

    This patch fixes the following issues when using "ebtables-nft" (while
    keeping compatibility with legacy binary):
    - When a new chain is created, a default DROP rule is added at the end
      of the chain (append). This will prevent the error code 4 when the
      chain is listed.
    - The chain rules are added at the begining of the chain (insert),
      before the default DROP rule. This will prioritize the port rules.
    - The MAC rules are cleaned before the new ones are added. That will
      prevent the deletion of any new needed rule, now added after the
      deletion.
    - The "ebtables" command will retry on error code 4. This is the
      error returned when the chains are listed and no rule is present
      in a new created chain (reporeted in LP#1922892).

    This code is backwards compatible, that means it works with the legacy
    "ebtables" binary; this is currently installed in the Neutron CI [1].
    In order to test with the new binary, "ebtables-nft", two new CI jobs
    are added to the periodic queue [2].

    [1]https://github.com/openstack/neutron/blob/1ad9ca56b07ffdc9f7e0bc6a62af61961b9128eb/roles/legacy_ebtables/tasks/main.yaml
    [2]https://review.opendev.org/c/openstack/neutron/+/785144

    Closes-Bug: #1922892
    Related-Bug: #1508155
    Closes-Bug: #1938670

    Conflicts:
        neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py

    Change-Id: I9463b000f6f63e65aaf91d60b30f6c92c01e3baf
    (cherry picked from commit 0a931391d8990f3e654b4bfda24ae4119c609bbf)

tags: added: in-stable-victoria
tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/804057
Committed: https://opendev.org/openstack/neutron/commit/f034de001ba224c3add364ca5d00cc15e26c2e96
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit f034de001ba224c3add364ca5d00cc15e26c2e96
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Apr 7 13:16:21 2021 +0000

    Make ARP protection commands compatible with "ebtables-nft"

    "nftables" compatible binary, "ebtables-nft", is not 100% compatible
    with the legacy API, as reported in LP#1922892.

    This patch fixes the following issues when using "ebtables-nft" (while
    keeping compatibility with legacy binary):
    - When a new chain is created, a default DROP rule is added at the end
      of the chain (append). This will prevent the error code 4 when the
      chain is listed.
    - The chain rules are added at the begining of the chain (insert),
      before the default DROP rule. This will prioritize the port rules.
    - The MAC rules are cleaned before the new ones are added. That will
      prevent the deletion of any new needed rule, now added after the
      deletion.
    - The "ebtables" command will retry on error code 4. This is the
      error returned when the chains are listed and no rule is present
      in a new created chain (reporeted in LP#1922892).

    This code is backwards compatible, that means it works with the legacy
    "ebtables" binary; this is currently installed in the Neutron CI [1].
    In order to test with the new binary, "ebtables-nft", two new CI jobs
    are added to the periodic queue [2].

    [1]https://github.com/openstack/neutron/blob/1ad9ca56b07ffdc9f7e0bc6a62af61961b9128eb/roles/legacy_ebtables/tasks/main.yaml
    [2]https://review.opendev.org/c/openstack/neutron/+/785144

    Closes-Bug: #1922892
    Related-Bug: #1508155
    Closes-Bug: #1938670

    Conflicts:
        neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py

    Change-Id: I9463b000f6f63e65aaf91d60b30f6c92c01e3baf
    (cherry picked from commit 0a931391d8990f3e654b4bfda24ae4119c609bbf)
    (cherry picked from commit fafa5dacd5057120562184a734e7345e7c0e9639)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/804058
Committed: https://opendev.org/openstack/neutron/commit/4245963c71280bebd94e9005230d610931a7c2df
Submitter: "Zuul (22348)"
Branch: stable/train

commit 4245963c71280bebd94e9005230d610931a7c2df
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Wed Apr 7 13:16:21 2021 +0000

    Make ARP protection commands compatible with "ebtables-nft"

    "nftables" compatible binary, "ebtables-nft", is not 100% compatible
    with the legacy API, as reported in LP#1922892.

    This patch fixes the following issues when using "ebtables-nft" (while
    keeping compatibility with legacy binary):
    - When a new chain is created, a default DROP rule is added at the end
      of the chain (append). This will prevent the error code 4 when the
      chain is listed.
    - The chain rules are added at the begining of the chain (insert),
      before the default DROP rule. This will prioritize the port rules.
    - The MAC rules are cleaned before the new ones are added. That will
      prevent the deletion of any new needed rule, now added after the
      deletion.
    - The "ebtables" command will retry on error code 4. This is the
      error returned when the chains are listed and no rule is present
      in a new created chain (reporeted in LP#1922892).

    This code is backwards compatible, that means it works with the legacy
    "ebtables" binary; this is currently installed in the Neutron CI [1].
    In order to test with the new binary, "ebtables-nft", two new CI jobs
    are added to the periodic queue [2].

    [1]https://github.com/openstack/neutron/blob/1ad9ca56b07ffdc9f7e0bc6a62af61961b9128eb/roles/legacy_ebtables/tasks/main.yaml
    [2]https://review.opendev.org/c/openstack/neutron/+/785144

    Closes-Bug: #1922892
    Related-Bug: #1508155
    Closes-Bug: #1938670

    Conflicts:
        neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py

    Change-Id: I9463b000f6f63e65aaf91d60b30f6c92c01e3baf
    (cherry picked from commit 0a931391d8990f3e654b4bfda24ae4119c609bbf)
    (cherry picked from commit fafa5dacd5057120562184a734e7345e7c0e9639)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 16.4.1

This issue was fixed in the openstack/neutron 16.4.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 17.2.1

This issue was fixed in the openstack/neutron 17.2.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 19.0.0.0rc1

This issue was fixed in the openstack/neutron 19.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron train-eol

This issue was fixed in the openstack/neutron train-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.