Bug 1462410 – firewallctl can't install ebtables rules

Bug 1462410 - firewallctl can't install ebtables rules

Summary:	firewallctl can't install ebtables rules

Status:	NEW

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	firewalld (Show other bugs)
Sub Component:
Version:	25
Hardware:	armv7l Linux

Priority	unspecified Severity unspecified
Target Milestone:	---
Target Release:	---
Assigned To:	Eric Garver
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-06-17 06:33 EDT by lionel.h
Modified:	2017-08-17 15:54 EDT (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description lionel.h 2017-06-17 06:33:36 EDT

Description of problem:
I'm trying to make a brouter on my raspberry pi at home. Here is the "very" simplified architecture: 

            +-------+
            |       |
            |  br0  |------+              +--------------------+
    +-------|       |      |              | systemd-nspawn     |
    |       +-------+      |              |  openvpn           |
    |                      |              |                    |
    |                      |              |                    |
+---+----+           +-----+----------+   +--------+           |
|  eth0  |           | vb-vpngateway  +---+  host0 |           |
+--------+           +----------------+   +--------+           |
192.168.1.10           172.17.94.1/28     | 172.17.94.2/28     |
                                          |                    |
                                          +--------------------+

In order for ports belonging to the bridge to communicate between each other I need to put in place a bunch of ebtables rules...

I'm running Fedora Server edition. ebtables is installed and all modules are loaded correctly: 

[lionel@raspberry ~]$ lsmod |grep ebt
ebt_arp                16384  2
ebt_ip                 16384  2
ebtable_broute         16384  1
ebtable_nat            16384  1
ebtable_filter         16384  1
ebtables               24576  3 ebtable_filter,ebtable_nat,ebtable_broute
bridge                122880  1 ebtable_broute

And everything works fine when evoking ebtables command directly..

Version-Release number of selected component (if applicable):
Name        : firewalld
Version     : 0.4.4.4
Release     : 1.fc25
Architecture: noarch

Name        : ebtables
Version     : 2.0.10
Release     : 21.fc25
Architecture: armv7hl

How reproducible:
100%

Steps to Reproduce:
1. sudo firewallctl direct -p add rule eb broute BROUTING 1 '-p IPv4 -i eth0 --ip-dst 192.168.1.10 -j DROP'
2. sudo firewallctl reload

Actual results:
ebtables rule not installed in BROUTING on the broute table.
And in the log of firewalld I have:
raspberry firewalld[15769]: WARNING: '/usr/sbin/ebtables -t broute -I BROUTING_direct 1 -p IPv4 -i eth0 --ip-dst 192.168.1.10 -j DROP' failed:

Expected results:
ebtables rule is installed in BROUTING on the broute table.

Additional info:

If I installed the rules directly via the ebtables command, everything is working smoothly without any trouble. But once I reload the firewall, the ebtables rules I put in place manually are erased. Hope this will ring a bell to someone..

Comment 1 lionel.h 2017-06-20 14:04:17 EDT

Did someone as already a hint ? This is really annoying for me..

Note You need to log in before you can comment on or make changes to this bug.