2020-11-13 12:01:07 |
Christian Ehrhardt |
bug |
|
|
added bug |
2020-11-13 14:49:50 |
Oibaf |
bug watch added |
|
http://bugzilla.netfilter.org/show_bug.cgi?id=1481 |
|
2020-11-13 14:49:50 |
Oibaf |
bug task added |
|
iptables |
|
2020-11-13 14:50:05 |
Launchpad Janitor |
iptables (Ubuntu): status |
New |
Confirmed |
|
2020-11-15 23:11:29 |
Alex Murray |
bug |
|
|
added subscriber Alex Murray |
2020-11-16 07:45:56 |
Oibaf |
bug |
|
|
added subscriber Oibaf |
2020-11-16 16:09:40 |
Christian Ehrhardt |
bug watch added |
|
https://bugzilla.redhat.com/show_bug.cgi?id=1898130 |
|
2020-11-16 16:09:40 |
Christian Ehrhardt |
bug task added |
|
iptables (Fedora) |
|
2020-11-16 16:25:51 |
Bug Watch Updater |
iptables (Fedora): status |
Unknown |
Confirmed |
|
2020-11-16 16:25:51 |
Bug Watch Updater |
iptables (Fedora): importance |
Unknown |
High |
|
2020-11-17 13:59:14 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Groovy |
|
2020-11-17 13:59:14 |
Christian Ehrhardt |
bug task added |
|
iptables (Ubuntu Groovy) |
|
2020-11-17 14:04:35 |
Christian Ehrhardt |
description |
Hi,
I have an issue with ebtables that affects libvirt.
While initially found in hirsute I had to realize this is broken in
Groovy and even Bionic (might be a different reason back then) as well right now.
But working in Focal (witch matches my memory of it being good before [1]).
I was isolating the commands that libvirt runs (identical between Focal
and Hirsute) to find a simplified trigger. Gladly I found one that leaves
libvirt and other components out of the equation.
The following works on focal, but fails on the other releases.
Note: I checked which tool is in use and in both cases it is xtables-nft-multi.
/usr/sbin/ebtables -> /etc/alternatives/ebtables*
/etc/alternatives/ebtables -> /usr/sbin/ebtables-nft*
/usr/sbin/ebtables-nft -> xtables-nft-multi*
So I converted the libvirt issued commands into xtables-nft-multi just to be
sure in case a system to compare has other alternatives set.
Focal (Good):
/usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -N testrule3
/usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -E testrule3 testrule3-renamed
<system is happy>
Groovy/Hirsute (Fail):
/usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -N testrule3
/usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -E testrule3 testrule3-renamed
ebtables v1.8.5 (nf_tables): Chain 'testrule3' doesn't exists
Try `ebtables -h' or 'ebtables --help' for more information.
What might be the root cause for this?
-- Old test instructions --
As I said I was tracking a fail in libvirt so the test instructions initially
were around that:
# the following us done as 2nd level guest (to not mess with the host,
# but works on bare metal jst as much)
uvt-kvm create --host-passthrough --memory 2048 --cpu 4 --disk 16 --password=ubuntu hirsute-kvm release=hirsute arch=amd64 label=daily
# On guest then
sudo apt update
sudo apt install uvtool uvtool-libvirt
uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=hirsute
uvt-kvm create --disk 5 --machine-type ubuntu --password=ubuntu hirsute-2nd-lvm release=hirsute arch=amd64 label=daily
uvt-kvm wait hirsute-2nd-lvm
virsh shutdown hirsute-2nd-lvm
virsh edit hirsute-2nd-lvm
# add this to the network
<filterref filter='clean-traffic'>
<parameter name='CTRL_IP_LEARNING' value='dhcp'/>
</filterref>
virsh start hirsute-2nd-lvm
error: Failed to start domain hirsute-2nd-nwfilter
error: internal error: applyDHCPOnlyRules failed - spoofing not protected!
FYI: Get helpful log details with these in /etc/libvirt/libvirtd.conf
log_filters="1:util.firewall"
log_outputs="1:syslog:libvirtd"
-- --
[1]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1758037 |
[SRU]
* Changes that went into 1.8.5 ave broken the errno handling.
In particular loading extensions. Due to that it has become
impossible to rename rules.
* Upstream has created a fix and this backports that change to
Ubuntu
=> http://git.netfilter.org/iptables/commit/?id=55b7c71dce7144f4dc0297c17abf0f04879ee247
[Test Case]
* # ebtables -t nat -N foo
# ebtables -t nat -E foo bar
ebtables v1.8.5 (nf_tables): Chain 'foo' doesn't exists
* with the fix the above command sequence works
[Where problems could occur]
* The change moved code from nft_chain_user_rename to do_commandeb and
therefore in theory any ebtables/xtables subcommand could be affected.
Yet what it does is just resetting the error code in a better place, so
while it "could" affect every subcommand it should (tm) not do so.
[Other Info]
* n/a
---
Hi,
I have an issue with ebtables that affects libvirt.
While initially found in hirsute I had to realize this is broken in
Groovy and even Bionic (might be a different reason back then) as well right now.
But working in Focal (witch matches my memory of it being good before [1]).
I was isolating the commands that libvirt runs (identical between Focal
and Hirsute) to find a simplified trigger. Gladly I found one that leaves
libvirt and other components out of the equation.
The following works on focal, but fails on the other releases.
Note: I checked which tool is in use and in both cases it is xtables-nft-multi.
/usr/sbin/ebtables -> /etc/alternatives/ebtables*
/etc/alternatives/ebtables -> /usr/sbin/ebtables-nft*
/usr/sbin/ebtables-nft -> xtables-nft-multi*
So I converted the libvirt issued commands into xtables-nft-multi just to be
sure in case a system to compare has other alternatives set.
Focal (Good):
/usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -N testrule3
/usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -E testrule3 testrule3-renamed
<system is happy>
Groovy/Hirsute (Fail):
/usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -N testrule3
/usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -E testrule3 testrule3-renamed
ebtables v1.8.5 (nf_tables): Chain 'testrule3' doesn't exists
Try `ebtables -h' or 'ebtables --help' for more information.
What might be the root cause for this?
-- Old test instructions --
As I said I was tracking a fail in libvirt so the test instructions initially
were around that:
# the following us done as 2nd level guest (to not mess with the host,
# but works on bare metal jst as much)
uvt-kvm create --host-passthrough --memory 2048 --cpu 4 --disk 16 --password=ubuntu hirsute-kvm release=hirsute arch=amd64 label=daily
# On guest then
sudo apt update
sudo apt install uvtool uvtool-libvirt
uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=hirsute
uvt-kvm create --disk 5 --machine-type ubuntu --password=ubuntu hirsute-2nd-lvm release=hirsute arch=amd64 label=daily
uvt-kvm wait hirsute-2nd-lvm
virsh shutdown hirsute-2nd-lvm
virsh edit hirsute-2nd-lvm
# add this to the network
<filterref filter='clean-traffic'>
<parameter name='CTRL_IP_LEARNING' value='dhcp'/>
</filterref>
virsh start hirsute-2nd-lvm
error: Failed to start domain hirsute-2nd-nwfilter
error: internal error: applyDHCPOnlyRules failed - spoofing not protected!
FYI: Get helpful log details with these in /etc/libvirt/libvirtd.conf
log_filters="1:util.firewall"
log_outputs="1:syslog:libvirtd"
-- --
[1]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1758037 |
|
2020-11-18 01:00:16 |
Alex Murray |
iptables (Ubuntu Groovy): assignee |
|
Alex Murray (alexmurray) |
|
2020-11-18 07:34:51 |
Christian Ehrhardt |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975028 |
|
2020-11-18 07:34:51 |
Christian Ehrhardt |
bug task added |
|
iptables (Debian) |
|
2020-11-18 07:35:00 |
Christian Ehrhardt |
iptables (Ubuntu Groovy): status |
New |
In Progress |
|
2020-11-18 21:42:09 |
Bug Watch Updater |
iptables (Fedora): status |
Confirmed |
Fix Committed |
|
2020-11-18 22:22:41 |
Jamie Strandboge |
iptables (Ubuntu): status |
Confirmed |
Fix Committed |
|
2020-11-18 22:22:53 |
Jamie Strandboge |
iptables (Ubuntu): assignee |
|
Alex Murray (alexmurray) |
|
2020-11-24 07:18:24 |
Launchpad Janitor |
iptables (Ubuntu): status |
Fix Committed |
Fix Released |
|
2020-11-24 09:56:51 |
Alex Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-11-25 00:55:57 |
Alex Murray |
nominated for series |
|
Ubuntu Hirsute |
|
2020-11-25 00:55:57 |
Alex Murray |
bug task added |
|
iptables (Ubuntu Hirsute) |
|
2020-11-30 10:41:56 |
Łukasz Zemczak |
iptables (Ubuntu Groovy): status |
In Progress |
Fix Committed |
|
2020-11-30 10:41:59 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2020-11-30 10:42:03 |
Łukasz Zemczak |
tags |
|
verification-needed verification-needed-groovy |
|
2020-11-30 12:35:23 |
Christian Ehrhardt |
tags |
verification-needed verification-needed-groovy |
verification-done verification-done-groovy |
|
2020-12-07 09:33:23 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2020-12-07 09:43:26 |
Launchpad Janitor |
iptables (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
2021-02-25 12:21:30 |
Bug Watch Updater |
iptables (Debian): status |
Unknown |
Fix Released |
|