On 11/16/20 2:01 AM, Christian Ehrhardt wrote:
Hi,
I have last week discussed breakage in nwfilter usage on IRC
<filterref filter='clean-traffic'>
<parameter name='CTRL_IP_LEARNING' value='dhcp'/>
</filterref>
virsh start <guest>
error: Failed to start domain <guest>
error: internal error: applyDHCPOnlyRules failed - spoofing not protect
With debug in the logs enabled I got confirmation by Daniel (thanks!)
that the command sequence libvirt issued looked kind of "normal".
Hereby I wanted to let you know that some further debugging identified
a part of the sequence that libvirt issues as being broken in recent
ebtables versions.
# ebtables --concurrent -t nat -N testrule3
# ebtables --concurrent -t nat -E testrule3 testrule3-renamed
ebtables v1.8.6 (nf_tables): Chain 'testrule3' doesn't exists
So you're saying you can just run those two commands together and always
get the error? (assuming that "testrule3 and testrule3-renamed don't
exist beforehand)
From your description it sounds like maybe the error doesn't occur when
there is a pause between the two commands - is that right, or am I
assuming too much?
I tried the above commands (well, I put the two commands together on a
single line separated by ";") on a Fedora 33 system and a RHEL 8.3.0
system, and both of them completed successfully.
This is the fedora ebtables -V: ebtables v2.0.11 (legacy) (December 2011)
And this is the ebtables -V on RHEL 8.3.0: ebtables 1.8.4 (nf_tables)
(I don't have any idea how the version's relate to each other for legacy
ebtables vs. the nf_tables version)
This led to upstream ebtables bug [1] - for now just FYI in case you
want/need to subscribe for your own tracking.
[1]: https://bugzilla.netfilter.org/show_bug.cgi?id=1481
