[pve-devel] Bug #2193

Alexandre DERUMIER aderumier at odiso.com
Thu May 2 06:42:34 CEST 2019


Ok Got it, we need to send ip without mask or with /32, 

or ebtables convert it.

----- Mail original -----
De: "Christian Ebner" <c.ebner at proxmox.com>
À: "aderumier" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mardi 30 Avril 2019 18:51:33
Objet: Bug #2193

It seems that the ARP filtering with ebtables introduced a bug: 
[ https://bugzilla.proxmox.com/show_bug.cgi?id=2193 | https://bugzilla.proxmox.com/show_bug.cgi?id=2193 ] 

After some digging, it turned out that the problem is that ebtables masks the provided arp-ip-src address. 
So while the provided rule looks like this: 
-A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.1/24 -j RETURN 
the output of ebtables-save looks like this: 
-A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.0/24 -j RETURN 
note the change from 1 to 0 for the IP address. 

This leads to different hashes and therefore the firewall service spams the log with errors, because of seemingly not applied rules. 

@Alexandre: Does the assumption is correct, that you simply want to allow only the one source ip, here 10.0.0.1? 
If so we should change the corresponding rule to one without CIDR suffix, e.g. 
-A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.1 -j RETURN 
in which case ebtables does not mangle with the rule and the hash should be equal. 
Also, note that the $pve_ebtables_chainname_regex must probably be updated to include the -ARP suffix. 
If you want I can provide a patch for this, if your intention was different please let us know. 

--- 

Best regards, 
Christian Ebner 




More information about the pve-devel mailing list