Bug 1462410 - firewallctl can't install ebtables rules
firewallctl can't install ebtables rules
Status: NEW
Product: Fedora
Classification: Fedora
Component: firewalld (Show other bugs)
25
armv7l Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Eric Garver
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-17 06:33 EDT by lionel.h
Modified: 2017-08-17 15:54 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description lionel.h 2017-06-17 06:33:36 EDT
Description of problem:
I'm trying to make a brouter on my raspberry pi at home. Here is the "very" simplified architecture: 

            +-------+
            |       |
            |  br0  |------+              +--------------------+
    +-------|       |      |              | systemd-nspawn     |
    |       +-------+      |              |  openvpn           |
    |                      |              |                    |
    |                      |              |                    |
+---+----+           +-----+----------+   +--------+           |
|  eth0  |           | vb-vpngateway  +---+  host0 |           |
+--------+           +----------------+   +--------+           |
192.168.1.10           172.17.94.1/28     | 172.17.94.2/28     |
                                          |                    |
                                          +--------------------+

In order for ports belonging to the bridge to communicate between each other I need to put in place a bunch of ebtables rules...

I'm running Fedora Server edition. ebtables is installed and all modules are loaded correctly: 

[lionel@raspberry ~]$ lsmod |grep ebt
ebt_arp                16384  2
ebt_ip                 16384  2
ebtable_broute         16384  1
ebtable_nat            16384  1
ebtable_filter         16384  1
ebtables               24576  3 ebtable_filter,ebtable_nat,ebtable_broute
bridge                122880  1 ebtable_broute

And everything works fine when evoking ebtables command directly..

Version-Release number of selected component (if applicable):
Name        : firewalld
Version     : 0.4.4.4
Release     : 1.fc25
Architecture: noarch

Name        : ebtables
Version     : 2.0.10
Release     : 21.fc25
Architecture: armv7hl

How reproducible:
100%

Steps to Reproduce:
1. sudo firewallctl direct -p add rule eb broute BROUTING 1 '-p IPv4 -i eth0 --ip-dst 192.168.1.10 -j DROP'
2. sudo firewallctl reload

Actual results:
ebtables rule not installed in BROUTING on the broute table.
And in the log of firewalld I have:
raspberry firewalld[15769]: WARNING: '/usr/sbin/ebtables -t broute -I BROUTING_direct 1 -p IPv4 -i eth0 --ip-dst 192.168.1.10 -j DROP' failed:

Expected results:
ebtables rule is installed in BROUTING on the broute table.

Additional info:

If I installed the rules directly via the ebtables command, everything is working smoothly without any trouble. But once I reload the firewall, the ebtables rules I put in place manually are erased. Hope this will ring a bell to someone..
Comment 1 lionel.h 2017-06-20 14:04:17 EDT
Did someone as already a hint ? This is really annoying for me..

Note You need to log in before you can comment on or make changes to this bug.