"ebtables-nft" returns error 4 when a new chain is created
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Rodolfo Alonso |
Bug Description
When using "ebtables-nft", an intermediate step between the legacy tool "ebtables" and the native implementation of "nft", an error occurs when a new chain is added.
Linux Bridge ARP protection creates two chains per interface, one to prevent the ARP spoofing (filtering the APR packets by the interface and IP addresses) and another one to prevent the MAC spoofing (filtering by the interface and the MAC addresses).
Those chains have a default DROP rule.
When a new chain is added and no rule is added, the list command returns the following error [1]:
Bridge chain: a1, entries: 0, policy: DROP
ebtables v1.8.4 (nf_tables): RULE_DELETE failed (No such file or directory): rule in chain a1
The native "nft" command correctly list all chains and rules, including the default DROP policy [1].
In order to avoid this error, every time a new table is created, a default DROP rule (redundant with the default policy) can be installed at the end of the chain. That won't interfere with the packet filtering or reduce the performance.
The "ebtable-nft" command should also watch for the ProcessExecutio
Changed in neutron: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Patch: https:/ /review. opendev. org/c/openstack /neutron/ +/785177