From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Igor Raits <igor@gooddata.com>, Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org
Subject: Re: ebtables-nft can't delete complex rules by specifying complete rule with kernel 6.3+
Date: Mon, 10 Jul 2023 21:18:43 +0200 [thread overview]
Message-ID: <20230710191843.GA22277@breakpoint.cc> (raw)
In-Reply-To: <ZKxH1eNXcI5k9oJq@calendula>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Mon, Jul 10, 2023 at 04:41:27PM +0200, Igor Raits wrote:
> > Hello Florian,
> >
> > On Mon, Jul 10, 2023 at 2:49 PM Florian Westphal <fw@strlen.de> wrote:
> > >
> > > Florian Westphal <fw@strlen.de> wrote:
> > > > Igor Raits <igor@gooddata.com> wrote:
> > > > > Hello,
> > > > >
> > > > > We started to observe the issue regarding ebtables-nft and how it
> > > > > can't wipe rules when specifying full rule. Removing the rule by index
> > > > > works fine, though. Also with kernel 6.1.y it works completely fine.
> > > > >
> > > > > I've started with 1.8.8 provided in CentOS Stream 9, then tried the
> > > > > latest git version and all behave exactly the same. See the behavior
> > > > > below. As you can see, simple DROP works, but more complex one do not.
> > > > >
> > > > > As bugzilla requires some special sign-up procedure, apologize for
> > > > > reporting it directly here in the ML.
> > > >
> > > > Thanks for the report, I'll look into it later today.
> > >
> > > Its a bug in ebtables-nft, it fails to delete the rule since
> > >
> > > 938154b93be8cd611ddfd7bafc1849f3c4355201,
> > > netfilter: nf_tables: reject unbound anonymous set before commit phase
> > >
> > > But its possible do remove the rule via
> > > nft delete rule .. handle $x
> > >
> > > so the breakge is limited to ebtables-nft.
> >
> > Thanks for confirmation and additional information regarding where
> > exactly the issue was introduced.
> > The ebtables-nft (well, ebtables in general) is heavily used by the
> > OpenStack Neutron (in linuxbridge mode), so this breaks our setup
> > quite a bit. Would you recommend to revert kernel change or would you
> > have the actual fix soon (ebtables-nft or kernel)?
>
> Just to make sure this bug is not caused by something else.
No no no, this is a userspace bug.
netfilter: nf_tables: reject unbound anonymous set before commit phase
ebtables-nft emits a DELRULE followed by creation of a (dangling!)
anon set, because backend code that handles add/delete is identical,
so 'delete' request for among schedules addition of the set.
prev parent reply other threads:[~2023-07-10 19:18 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-10 10:24 ebtables-nft can't delete complex rules by specifying complete rule with kernel 6.3+ Igor Raits
2023-07-10 11:21 ` Florian Westphal
2023-07-10 12:49 ` Florian Westphal
2023-07-10 14:41 ` Igor Raits
2023-07-10 18:03 ` Pablo Neira Ayuso
2023-07-10 18:05 ` Pablo Neira Ayuso
2023-07-10 19:05 ` Igor Raits
2023-07-10 19:18 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230710191843.GA22277@breakpoint.cc \
--to=fw@strlen.de \
--cc=igor@gooddata.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.