[pve-devel] [RFC firewall 0/8] rebased ebtables patches
Thomas Lamprecht
t.lamprecht at proxmox.com
Thu Mar 29 08:02:47 CEST 2018
On 3/28/18 10:53 AM, Wolfgang Bumiller wrote:
> While on the one hand I'd like to move to nftables, and on the other
> hand I like the idea of attaching xdp programs to interfaces for the
> purpose of eg. MAC filtering, we do still have this patch series around
> which wasn't much work to rebase to the current code base and does its
> job...
> Back when the series was originally posted the issue was mostly the lack
> of a (proper) ebtables package (missing ebtables-save/restore). We don't
> have this problem anymore, so why not give this a go?
>
> The changes I made to the patches I took off the list should be rather
> obvious: openvz -> lxc, and replcing the hardcoded ethertype list with
> reading /etc/ethertypes (which gets shipped with the ebtables package).
> Some whitespace cleanup and I renamed 'layer2filter_protocols' to just
> 'layer2_protocols' (and avoided the generation of `-j DROP` followed by
> `-j ACCEPT`).
>
I get the following error periodically:
> ebtables : unable to update chain 'PVEFW-FWBR-OUT'
# ebtables-save
# Generated by ebtables-save v1.0 on Thu Mar 29 07:59:57 CEST 2018
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:PVEFW-FORWARD ACCEPT
:PVEFW-FWBR-OUT ACCEPT
-A PVEFW-FORWARD -p IPv4 -j ACCEPT
-A PVEFW-FORWARD -p IPv6 -j ACCEPT
-A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
Pretty vanilla setup:
cat /etc/pve/firewall/cluster.fw
[OPTIONS]
enable: 1
cat /etc/pve/firewall/107fw
[OPTIONS]
enable: 1
# tried with and without the following line
#layer2_protocols: ARP
A misconfiguration on my side?
More information about the pve-devel
mailing list