[PVE-User] ebtables policy created to DROP but automatically changed to ACCEPT

José Manuel Giner jm at ginernet.com
Fri May 29 17:10:26 CEST 2020


Bug 2773

As I'm not using the pve-firewall, I've stopped and it's ok.

# pve-firewall stop

Thanks.



On 29/05/2020 16:59, Stoiko Ivanov wrote:
> Hi,
> 
> Thanks for reporting this!
> I managed to reproduce the issue - it seems the code currently does not
> account for the policy of an ebtables chain (see [0])
> 
> Please open a bug report over at https://bugzilla.proxmox.com
> 
> as a mitigation until this is fixed you could add a final rule which drops
> all packets to your ruleset:
> ```
> ebtables -A test -j DROP
> ```
> 
> kind regards,
> stoiko
> 
> [0]
> https://git.proxmox.com/?p=pve-firewall.git;a=blob;f=src/PVE/Firewall.pm;h=a2105e5410590b30305bd6941ddcc8bfe40159da;hb=HEAD#l4166
> 
> On Fri, 29 May 2020 15:46:26 +0200
> José Manuel Giner <jm at ginernet.com> wrote:
> 
>> Seems it's a bug "fixed", but is still here:
>>
>> https://git.proxmox.com/?p=pve-firewall.git;a=commit;h=84025e9943d236414fbd869b89cb2e8e17af3208
>>
>>
>>
>>
>> On 29/05/2020 14:24, José Manuel Giner wrote:
>>> Any info?
>>>
>>>
>>> On 28/05/2020 18:07, José Manuel Giner wrote:
>>>> Hello,
>>>>
>>>> when I create a ebtables chain in a HN with DROP policy, after some
>>>> seconds is automatically modified to ACCEPT
>>>>
>>>> ebtables -N test
>>>> ebtables -P test DROP
>>>>
>>>> some seconds later:
>>>>
>>>> #ebtables -L
>>>> Bridge chain: test, entries: 0, policy: ACCEPT
>>>>
>>>> I've tried to disable "ebtables" on the datacenter, but nothing seems
>>>> to affect.
>>>>
>>>> Any idea?
>>>>
>>>> Thanks!
>>>>
>>>>   
>>>    
>>
> 
> 

-- 
José Manuel Giner
https://ginernet.com




More information about the pve-user mailing list