← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #85737

[Bug 1922892] [NEW] "ebtables-nft" returns error 4 when a new chain is created

  Thread PreviousDate PreviousThread Next 
Public bug reported:

When using "ebtables-nft", an intermediate step between the legacy tool
"ebtables" and the native implementation of "nft", an error occurs when
a new chain is added.

Linux Bridge ARP protection creates two chains per interface, one to
prevent the ARP spoofing (filtering the APR packets by the interface and
IP addresses) and another one to prevent the MAC spoofing (filtering by
the interface and the MAC addresses).

Those chains have a default DROP rule.

When a new chain is added and no rule is added, the list command returns the following error [1]:
  Bridge chain: a1, entries: 0, policy: DROP
  ebtables v1.8.4 (nf_tables):  RULE_DELETE failed (No such file or directory): rule in chain a1


The native "nft" command correctly list all chains and rules, including the default DROP policy [1].

In order to avoid this error, every time a new table is created, a
default DROP rule (redundant with the default policy) can be installed
at the end of the chain. That won't interfere with the packet filtering
or reduce the performance.

The "ebtable-nft" command should also watch for the
ProcessExecutionError.returncode = 4, that is returned when listing a
chain without rules.

[1]http://paste.openstack.org/show/804237/

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1922892

Title:
  "ebtables-nft" returns error 4 when a new chain is created

Status in neutron:
  New

Bug description:
  When using "ebtables-nft", an intermediate step between the legacy
  tool "ebtables" and the native implementation of "nft", an error
  occurs when a new chain is added.

  Linux Bridge ARP protection creates two chains per interface, one to
  prevent the ARP spoofing (filtering the APR packets by the interface
  and IP addresses) and another one to prevent the MAC spoofing
  (filtering by the interface and the MAC addresses).

  Those chains have a default DROP rule.

  When a new chain is added and no rule is added, the list command returns the following error [1]:
    Bridge chain: a1, entries: 0, policy: DROP
    ebtables v1.8.4 (nf_tables):  RULE_DELETE failed (No such file or directory): rule in chain a1

  
  The native "nft" command correctly list all chains and rules, including the default DROP policy [1].

  In order to avoid this error, every time a new table is created, a
  default DROP rule (redundant with the default policy) can be installed
  at the end of the chain. That won't interfere with the packet
  filtering or reduce the performance.

  The "ebtable-nft" command should also watch for the
  ProcessExecutionError.returncode = 4, that is returned when listing a
  chain without rules.

  [1]http://paste.openstack.org/show/804237/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1922892/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next