[pve-devel] Bug #2193

Christian Ebner c.ebner at proxmox.com
Tue Apr 30 18:51:33 CEST 2019


It seems that the ARP filtering with ebtables introduced a bug:
https://bugzilla.proxmox.com/show_bug.cgi?id=2193

After some digging, it turned out that the problem is that ebtables masks the provided arp-ip-src address.
So while the provided rule looks like this:
-A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.1/24 -j RETURN
the output of ebtables-save looks like this:
-A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.0/24 -j RETURN
note the change from 1 to 0 for the IP address.

This leads to different hashes and therefore the firewall service spams the log with errors, because of seemingly not applied rules.

@Alexandre: Does the assumption is correct, that you simply want to allow only the one source ip, here 10.0.0.1?
If so we should change the  corresponding rule to one without CIDR suffix, e.g.
-A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.1 -j RETURN
in which case ebtables does not mangle with the rule and the hash should be equal.
Also, note that the $pve_ebtables_chainname_regex must probably be updated to include the -ARP suffix.
If you want I can provide a patch for this, if your intention was different please let us know.

---

Best regards,
Christian Ebner



More information about the pve-devel mailing list