Description of problem: Since the 'ebtables' command was replaced with the NFT based impl, renaming chains stopped working # ebtables -t nat -N foo # ebtables -t nat -E foo bar ebtables v1.8.5 (nf_tables): Chain 'foo' doesn't exists Try `ebtables -h' or 'ebtables --help' for more information. Broken in Fedora 33 iptables-nft-1.8.5-3.fc33.x86_64 Works in Fedora 31 ebtables-legacy-2.0.10-37.fc31.x86_64 Version-Release number of selected component (if applicable): iptables-nft-1.8.5-3.fc33.x86_64 How reproducible: Always Steps to Reproduce: 1. ebtables -t nat -N foo 2. ebtables -t nat -E foo bar Actual results: ebtables v1.8.5 (nf_tables): Chain 'foo' doesn't exists Try `ebtables -h' or 'ebtables --help' for more information. Expected results: Chain is renamed Additional info:
This breaks libvirt's nwfilter functionality, as we rely on ability to rename chains in order to update rules in a race free manner
Fix sent upstream: https://lore.kernel.org/netfilter-devel/20201117105114.5083-1-phil@nwl.cc/
Upstream commit to backport: commit 55b7c71dce7144f4dc0297c17abf0f04879ee247 Author: Phil Sutter <phil> Date: Tue Nov 17 11:38:27 2020 +0100 ebtables: Fix for broken chain renaming Loading extensions pollutes 'errno' value, hence before using it to indicate failure it should be sanitized. This was done by the called function before the parsing/netlink split and not migrated by accident. Move it into calling code to clarify the connection. Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") Signed-off-by: Phil Sutter <phil>
Thanks for the fix Phil! BTW (FYI) this also affects Ubuntu >=20.10 and Debian-unstable
FEDORA-2020-d19868229b has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-d19868229b
Hi Christian, (In reply to Christian Ehrhardt from comment #4) > BTW (FYI) this also affects Ubuntu >=20.10 and Debian-unstable The fix is upstream, backporting into Ubuntu and Debian is (luckily) not my job as well.
FEDORA-2020-d19868229b has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-d19868229b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-d19868229b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
(In reply to Phil Sutter from comment #6) > Hi Christian, > > (In reply to Christian Ehrhardt from comment #4) > > BTW (FYI) this also affects Ubuntu >=20.10 and Debian-unstable > > The fix is upstream, backporting into Ubuntu and Debian is (luckily) not my > job as well. Hehe, I was not implying that - it really was only an FYI for awareness. But I realized this is the Fedora bug while https://bugzilla.netfilter.org/show_bug.cgi?id=1481 would have been the better place to mention this.
FEDORA-2020-d19868229b has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.