Bug 1898130 - ebtables is unable to rename chains
Summary: ebtables is unable to rename chains
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables
Version: 33
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Phil Sutter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-16 13:30 UTC by Daniel Berrangé
Modified: 2020-11-21 01:30 UTC (History)
3 users (show)

Fixed In Version: iptables-1.8.5-4.fc33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-21 01:30:38 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Netfilter 1481 None None None 2020-11-16 13:31:49 UTC

Description Daniel Berrangé 2020-11-16 13:30:08 UTC
Description of problem:

Since the 'ebtables' command was replaced with the NFT based impl, renaming chains stopped working

# ebtables -t nat -N foo
# ebtables -t nat -E foo bar
ebtables v1.8.5 (nf_tables): Chain 'foo' doesn't exists
Try `ebtables -h' or 'ebtables --help' for more information.

Broken in Fedora 33


iptables-nft-1.8.5-3.fc33.x86_64

Works in Fedora 31

ebtables-legacy-2.0.10-37.fc31.x86_64

Version-Release number of selected component (if applicable):
iptables-nft-1.8.5-3.fc33.x86_64

How reproducible:
Always

Steps to Reproduce:
1. ebtables -t nat -N foo
2. ebtables -t nat -E foo bar

Actual results:
ebtables v1.8.5 (nf_tables): Chain 'foo' doesn't exists
Try `ebtables -h' or 'ebtables --help' for more information.


Expected results:
Chain is renamed

Additional info:

Comment 1 Daniel Berrangé 2020-11-16 13:31:50 UTC
This breaks libvirt's nwfilter functionality, as we rely on ability to rename chains in order to update rules in a race free manner

Comment 2 Phil Sutter 2020-11-17 10:59:24 UTC
Fix sent upstream: https://lore.kernel.org/netfilter-devel/20201117105114.5083-1-phil@nwl.cc/

Comment 3 Phil Sutter 2020-11-17 12:04:13 UTC
Upstream commit to backport:

commit 55b7c71dce7144f4dc0297c17abf0f04879ee247
Author: Phil Sutter <phil@nwl.cc>
Date:   Tue Nov 17 11:38:27 2020 +0100

    ebtables: Fix for broken chain renaming
    
    Loading extensions pollutes 'errno' value, hence before using it to
    indicate failure it should be sanitized. This was done by the called
    function before the parsing/netlink split and not migrated by accident.
    Move it into calling code to clarify the connection.
    
    Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
    Signed-off-by: Phil Sutter <phil@nwl.cc>

Comment 4 Christian Ehrhardt 2020-11-17 13:53:15 UTC
Thanks for the fix Phil!

BTW (FYI) this also affects Ubuntu >=20.10 and Debian-unstable

Comment 5 Fedora Update System 2020-11-17 14:57:45 UTC
FEDORA-2020-d19868229b has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-d19868229b

Comment 6 Phil Sutter 2020-11-17 14:59:55 UTC
Hi Christian,

(In reply to Christian Ehrhardt from comment #4)
> BTW (FYI) this also affects Ubuntu >=20.10 and Debian-unstable

The fix is upstream, backporting into Ubuntu and Debian is (luckily) not my job as well.

Comment 7 Fedora Update System 2020-11-18 01:08:53 UTC
FEDORA-2020-d19868229b has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-d19868229b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-d19868229b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Christian Ehrhardt 2020-11-18 06:29:25 UTC
(In reply to Phil Sutter from comment #6)
> Hi Christian,
> 
> (In reply to Christian Ehrhardt from comment #4)
> > BTW (FYI) this also affects Ubuntu >=20.10 and Debian-unstable
> 
> The fix is upstream, backporting into Ubuntu and Debian is (luckily) not my
> job as well.

Hehe, I was not implying that - it really was only an FYI for awareness.
But I realized this is the Fedora bug while https://bugzilla.netfilter.org/show_bug.cgi?id=1481 would have been the better place to mention this.

Comment 9 Fedora Update System 2020-11-21 01:30:38 UTC
FEDORA-2020-d19868229b has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.