yahoo-eng-team team mailing list archive

[OpenStack Infra <1922892@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/785177
Committed: https://opendev.org/openstack/neutron/commit/0a931391d8990f3e654b4bfda24ae4119c609bbf
Submitter: "Zuul (22348)"
Branch:    master

commit 0a931391d8990f3e654b4bfda24ae4119c609bbf
Author: Rodolfo Alonso Hernandez <ralonsoh@xxxxxxxxxx>
Date:   Wed Apr 7 13:16:21 2021 +0000

    Make ARP protection commands compatible with "ebtables-nft"
    
    "nftables" compatible binary, "ebtables-nft", is not 100% compatible
    with the legacy API, as reported in LP#1922892.
    
    This patch fixes the following issues when using "ebtables-nft" (while
    keeping compatibility with legacy binary):
    - When a new chain is created, a default DROP rule is added at the end
      of the chain (append). This will prevent the error code 4 when the
      chain is listed.
    - The chain rules are added at the begining of the chain (insert),
      before the default DROP rule. This will prioritize the port rules.
    - The MAC rules are cleaned before the new ones are added. That will
      prevent the deletion of any new needed rule, now added after the
      deletion.
    - The "ebtables" command will retry on error code 4. This is the
      error returned when the chains are listed and no rule is present
      in a new created chain (reporeted in LP#1922892).
    
    This code is backwards compatible, that means it works with the legacy
    "ebtables" binary; this is currently installed in the Neutron CI [1].
    In order to test with the new binary, "ebtables-nft", two new CI jobs
    are added to the periodic queue [2].
    
    [1]https://github.com/openstack/neutron/blob/1ad9ca56b07ffdc9f7e0bc6a62af61961b9128eb/roles/legacy_ebtables/tasks/main.yaml
    [2]https://review.opendev.org/c/openstack/neutron/+/785144
    
    Closes-Bug: #1922892
    Related-Bug: #1508155
    
    Change-Id: I9463b000f6f63e65aaf91d60b30f6c92c01e3baf


** Changed in: neutron
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1922892

Title:
  "ebtables-nft" returns error 4 when a new chain is created

Status in neutron:
  Fix Released

Bug description:
  When using "ebtables-nft", an intermediate step between the legacy
  tool "ebtables" and the native implementation of "nft", an error
  occurs when a new chain is added.

  Linux Bridge ARP protection creates two chains per interface, one to
  prevent the ARP spoofing (filtering the APR packets by the interface
  and IP addresses) and another one to prevent the MAC spoofing
  (filtering by the interface and the MAC addresses).

  Those chains have a default DROP rule.

  When a new chain is added and no rule is added, the list command returns the following error [1]:
    Bridge chain: a1, entries: 0, policy: DROP
    ebtables v1.8.4 (nf_tables):  RULE_DELETE failed (No such file or directory): rule in chain a1

  
  The native "nft" command correctly list all chains and rules, including the default DROP policy [1].

  In order to avoid this error, every time a new table is created, a
  default DROP rule (redundant with the default policy) can be installed
  at the end of the chain. That won't interfere with the packet
  filtering or reduce the performance.

  The "ebtable-nft" command should also watch for the
  ProcessExecutionError.returncode = 4, that is returned when listing a
  chain without rules.

  [1]http://paste.openstack.org/show/804237/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1922892/+subscriptions