[PVE-User] ebtables policy created to DROP but automatically changed to ACCEPT
Stoiko Ivanov
s.ivanov at proxmox.com
Fri May 29 16:59:18 CEST 2020
Hi,
Thanks for reporting this!
I managed to reproduce the issue - it seems the code currently does not
account for the policy of an ebtables chain (see [0])
Please open a bug report over at https://bugzilla.proxmox.com
as a mitigation until this is fixed you could add a final rule which drops
all packets to your ruleset:
```
ebtables -A test -j DROP
```
kind regards,
stoiko
[0]
https://git.proxmox.com/?p=pve-firewall.git;a=blob;f=src/PVE/Firewall.pm;h=a2105e5410590b30305bd6941ddcc8bfe40159da;hb=HEAD#l4166
On Fri, 29 May 2020 15:46:26 +0200
José Manuel Giner <jm at ginernet.com> wrote:
> Seems it's a bug "fixed", but is still here:
>
> https://git.proxmox.com/?p=pve-firewall.git;a=commit;h=84025e9943d236414fbd869b89cb2e8e17af3208
>
>
>
>
> On 29/05/2020 14:24, José Manuel Giner wrote:
> > Any info?
> >
> >
> > On 28/05/2020 18:07, José Manuel Giner wrote:
> >> Hello,
> >>
> >> when I create a ebtables chain in a HN with DROP policy, after some
> >> seconds is automatically modified to ACCEPT
> >>
> >> ebtables -N test
> >> ebtables -P test DROP
> >>
> >> some seconds later:
> >>
> >> #ebtables -L
> >> Bridge chain: test, entries: 0, policy: ACCEPT
> >>
> >> I've tried to disable "ebtables" on the datacenter, but nothing seems
> >> to affect.
> >>
> >> Any idea?
> >>
> >> Thanks!
> >>
> >>
> >
>
More information about the pve-user
mailing list