Activity log for bug #1904192

Date Who What changed Old value New value Message
2020-11-13 12:01:07 Christian Ehrhardt  bug added bug
2020-11-13 14:49:50 Oibaf bug watch added http://bugzilla.netfilter.org/show_bug.cgi?id=1481
2020-11-13 14:49:50 Oibaf bug task added iptables
2020-11-13 14:50:05 Launchpad Janitor iptables (Ubuntu): status New Confirmed
2020-11-15 23:11:29 Alex Murray bug added subscriber Alex Murray
2020-11-16 07:45:56 Oibaf bug added subscriber Oibaf
2020-11-16 16:09:40 Christian Ehrhardt  bug watch added https://bugzilla.redhat.com/show_bug.cgi?id=1898130
2020-11-16 16:09:40 Christian Ehrhardt  bug task added iptables (Fedora)
2020-11-16 16:25:51 Bug Watch Updater iptables (Fedora): status Unknown Confirmed
2020-11-16 16:25:51 Bug Watch Updater iptables (Fedora): importance Unknown High
2020-11-17 13:59:14 Christian Ehrhardt  nominated for series Ubuntu Groovy
2020-11-17 13:59:14 Christian Ehrhardt  bug task added iptables (Ubuntu Groovy)
2020-11-17 14:04:35 Christian Ehrhardt  description Hi, I have an issue with ebtables that affects libvirt. While initially found in hirsute I had to realize this is broken in Groovy and even Bionic (might be a different reason back then) as well right now. But working in Focal (witch matches my memory of it being good before [1]). I was isolating the commands that libvirt runs (identical between Focal and Hirsute) to find a simplified trigger. Gladly I found one that leaves libvirt and other components out of the equation. The following works on focal, but fails on the other releases. Note: I checked which tool is in use and in both cases it is xtables-nft-multi. /usr/sbin/ebtables -> /etc/alternatives/ebtables* /etc/alternatives/ebtables -> /usr/sbin/ebtables-nft* /usr/sbin/ebtables-nft -> xtables-nft-multi* So I converted the libvirt issued commands into xtables-nft-multi just to be sure in case a system to compare has other alternatives set. Focal (Good): /usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -N testrule3 /usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -E testrule3 testrule3-renamed <system is happy> Groovy/Hirsute (Fail): /usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -N testrule3 /usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -E testrule3 testrule3-renamed ebtables v1.8.5 (nf_tables): Chain 'testrule3' doesn't exists Try `ebtables -h' or 'ebtables --help' for more information. What might be the root cause for this? -- Old test instructions -- As I said I was tracking a fail in libvirt so the test instructions initially were around that: # the following us done as 2nd level guest (to not mess with the host, # but works on bare metal jst as much) uvt-kvm create --host-passthrough --memory 2048 --cpu 4 --disk 16 --password=ubuntu hirsute-kvm release=hirsute arch=amd64 label=daily # On guest then sudo apt update sudo apt install uvtool uvtool-libvirt uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=hirsute uvt-kvm create --disk 5 --machine-type ubuntu --password=ubuntu hirsute-2nd-lvm release=hirsute arch=amd64 label=daily uvt-kvm wait hirsute-2nd-lvm virsh shutdown hirsute-2nd-lvm virsh edit hirsute-2nd-lvm # add this to the network <filterref filter='clean-traffic'> <parameter name='CTRL_IP_LEARNING' value='dhcp'/> </filterref> virsh start hirsute-2nd-lvm error: Failed to start domain hirsute-2nd-nwfilter error: internal error: applyDHCPOnlyRules failed - spoofing not protected! FYI: Get helpful log details with these in /etc/libvirt/libvirtd.conf log_filters="1:util.firewall" log_outputs="1:syslog:libvirtd" -- -- [1]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1758037 [SRU] * Changes that went into 1.8.5 ave broken the errno handling. In particular loading extensions. Due to that it has become impossible to rename rules. * Upstream has created a fix and this backports that change to Ubuntu => http://git.netfilter.org/iptables/commit/?id=55b7c71dce7144f4dc0297c17abf0f04879ee247 [Test Case] * # ebtables -t nat -N foo # ebtables -t nat -E foo bar ebtables v1.8.5 (nf_tables): Chain 'foo' doesn't exists * with the fix the above command sequence works [Where problems could occur] * The change moved code from nft_chain_user_rename to do_commandeb and therefore in theory any ebtables/xtables subcommand could be affected. Yet what it does is just resetting the error code in a better place, so while it "could" affect every subcommand it should (tm) not do so. [Other Info] * n/a --- Hi, I have an issue with ebtables that affects libvirt. While initially found in hirsute I had to realize this is broken in Groovy and even Bionic (might be a different reason back then) as well right now. But working in Focal (witch matches my memory of it being good before [1]). I was isolating the commands that libvirt runs (identical between Focal and Hirsute) to find a simplified trigger. Gladly I found one that leaves libvirt and other components out of the equation. The following works on focal, but fails on the other releases. Note: I checked which tool is in use and in both cases it is xtables-nft-multi. /usr/sbin/ebtables -> /etc/alternatives/ebtables* /etc/alternatives/ebtables -> /usr/sbin/ebtables-nft* /usr/sbin/ebtables-nft -> xtables-nft-multi* So I converted the libvirt issued commands into xtables-nft-multi just to be sure in case a system to compare has other alternatives set. Focal (Good): /usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -N testrule3 /usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -E testrule3 testrule3-renamed <system is happy> Groovy/Hirsute (Fail): /usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -N testrule3 /usr/sbin/xtables-nft-multi ebtables --concurrent -t nat -E testrule3 testrule3-renamed ebtables v1.8.5 (nf_tables): Chain 'testrule3' doesn't exists Try `ebtables -h' or 'ebtables --help' for more information. What might be the root cause for this? -- Old test instructions -- As I said I was tracking a fail in libvirt so the test instructions initially were around that: # the following us done as 2nd level guest (to not mess with the host, # but works on bare metal jst as much) uvt-kvm create --host-passthrough --memory 2048 --cpu 4 --disk 16 --password=ubuntu hirsute-kvm release=hirsute arch=amd64 label=daily # On guest then sudo apt update sudo apt install uvtool uvtool-libvirt uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=hirsute uvt-kvm create --disk 5 --machine-type ubuntu --password=ubuntu hirsute-2nd-lvm release=hirsute arch=amd64 label=daily uvt-kvm wait hirsute-2nd-lvm virsh shutdown hirsute-2nd-lvm virsh edit hirsute-2nd-lvm # add this to the network       <filterref filter='clean-traffic'>         <parameter name='CTRL_IP_LEARNING' value='dhcp'/>       </filterref> virsh start hirsute-2nd-lvm   error: Failed to start domain hirsute-2nd-nwfilter   error: internal error: applyDHCPOnlyRules failed - spoofing not protected! FYI: Get helpful log details with these in /etc/libvirt/libvirtd.conf log_filters="1:util.firewall" log_outputs="1:syslog:libvirtd" -- -- [1]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1758037
2020-11-18 01:00:16 Alex Murray iptables (Ubuntu Groovy): assignee Alex Murray (alexmurray)
2020-11-18 07:34:51 Christian Ehrhardt  bug watch added https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975028
2020-11-18 07:34:51 Christian Ehrhardt  bug task added iptables (Debian)
2020-11-18 07:35:00 Christian Ehrhardt  iptables (Ubuntu Groovy): status New In Progress
2020-11-18 21:42:09 Bug Watch Updater iptables (Fedora): status Confirmed Fix Committed
2020-11-18 22:22:41 Jamie Strandboge iptables (Ubuntu): status Confirmed Fix Committed
2020-11-18 22:22:53 Jamie Strandboge iptables (Ubuntu): assignee Alex Murray (alexmurray)
2020-11-24 07:18:24 Launchpad Janitor iptables (Ubuntu): status Fix Committed Fix Released
2020-11-24 09:56:51 Alex Murray bug added subscriber Ubuntu Stable Release Updates Team
2020-11-25 00:55:57 Alex Murray nominated for series Ubuntu Hirsute
2020-11-25 00:55:57 Alex Murray bug task added iptables (Ubuntu Hirsute)
2020-11-30 10:41:56 Łukasz Zemczak iptables (Ubuntu Groovy): status In Progress Fix Committed
2020-11-30 10:41:59 Łukasz Zemczak bug added subscriber SRU Verification
2020-11-30 10:42:03 Łukasz Zemczak tags verification-needed verification-needed-groovy
2020-11-30 12:35:23 Christian Ehrhardt  tags verification-needed verification-needed-groovy verification-done verification-done-groovy
2020-12-07 09:33:23 Łukasz Zemczak removed subscriber Ubuntu Stable Release Updates Team
2020-12-07 09:43:26 Launchpad Janitor iptables (Ubuntu Groovy): status Fix Committed Fix Released