[pve-devel] Bug #2193
Alexandre DERUMIER
aderumier at odiso.com
Tue Apr 30 19:54:48 CEST 2019
>>@Alexandre: Does the assumption is correct, that you simply want to allow only the one source ip, here 10.0.0.1?
If I remember, I'm using netX ip interface from ct.conf + ipfilter ips address from ct.fw.
Can you send both files configuration ?
----- Mail original -----
De: "Christian Ebner" <c.ebner at proxmox.com>
À: "Alexandre Derumier" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mardi 30 Avril 2019 18:51:33
Objet: Bug #2193
It seems that the ARP filtering with ebtables introduced a bug:
[ https://bugzilla.proxmox.com/show_bug.cgi?id=2193 | https://bugzilla.proxmox.com/show_bug.cgi?id=2193 ]
After some digging, it turned out that the problem is that ebtables masks the provided arp-ip-src address.
So while the provided rule looks like this:
-A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.1/24 -j RETURN
the output of ebtables-save looks like this:
-A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.0/24 -j RETURN
note the change from 1 to 0 for the IP address.
This leads to different hashes and therefore the firewall service spams the log with errors, because of seemingly not applied rules.
@Alexandre: Does the assumption is correct, that you simply want to allow only the one source ip, here 10.0.0.1?
If so we should change the corresponding rule to one without CIDR suffix, e.g.
-A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.1 -j RETURN
in which case ebtables does not mangle with the rule and the hash should be equal.
Also, note that the $pve_ebtables_chainname_regex must probably be updated to include the -ARP suffix.
If you want I can provide a patch for this, if your intention was different please let us know.
---
Best regards,
Christian Ebner
More information about the pve-devel
mailing list