firewall changed to ebtables

[conrad784]

Hi everyone,

I am running pve 5.1-42

proxmox-ve: 5.1-42 (running kernel: 4.13.16-2-pve)
pve-manager: 5.1-51 (running version: 5.1-51/96be5354)
pve-kernel-4.13: 5.1-44
pve-kernel-4.13.16-2-pve: 4.13.16-47
pve-kernel-4.13.16-1-pve: 4.13.16-46
pve-kernel-4.13.13-6-pve: 4.13.13-42
pve-kernel-4.13.13-5-pve: 4.13.13-38
pve-kernel-4.13.13-4-pve: 4.13.13-35
pve-kernel-4.13.13-3-pve: 4.13.13-34
pve-kernel-4.13.13-2-pve: 4.13.13-33
pve-kernel-4.13.13-1-pve: 4.13.13-31
pve-kernel-4.13.8-3-pve: 4.13.8-30
pve-kernel-4.13.4-1-pve: 4.13.4-26
pve-kernel-4.10.17-4-pve: 4.10.17-24
pve-kernel-4.10.17-3-pve: 4.10.17-23
corosync: 2.4.2-pve4
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: not correctly installed
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-4
libpve-common-perl: 5.0-30
libpve-guest-common-perl: 2.0-14
libpve-http-server-perl: 2.0-8
libpve-storage-perl: 5.0-18
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.0-2
lxcfs: 3.0.0-1
novnc-pve: 0.6-4
proxmox-widget-toolkit: 1.0-15
pve-cluster: 5.0-25
pve-container: 2.0-21
pve-docs: 5.1-17
pve-firewall: 3.0-8
pve-firmware: 2.0-4
pve-ha-manager: 2.0-5
pve-i18n: 1.0-4
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.1-5
pve-xtermjs: 1.0-2
qemu-server: 5.0-25
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3

and I noticed that the last update did add and ebtables.

Selecting previously unselected package ebtables.^M
Preparing to unpack .../24-ebtables_2.0.10.4-3.5+b1_amd64.deb ...^M

I was running iptables.service and all the rules pve generated and I added myself are in there `iptables -L`.
Now the iptables.service is not running anymore but the ebtables.service. Unfortunately the rules are empty and no connections are dropped anymore.

If I add new rules in the WebUI the change is reflected in /etc/pve/nodes/<hostname>/host.fw, but not in ebtables nor iptables.

Another side effect, I recognized is that NAT containers are not working anymore, is this intended?
I would be ok with a change to ebtables, if the rules I specified in pve would still work, how can I fix this?

Thanks
Conrad

 

[arteta]

same problem here.

I was importing rules with this command:
ebtables-restore < /root/scripts/ebtables.txt

Now, after a few seconds, my rules disappears. No more filtering between my CTs

 

[wbumiller]

@conrad784, ebtables runs in addition to iptables, if your iptables are empty there must be some other issue, you should check your rules and logs.
@arteta, that's a different issue, you already had ebtables rules which now get replaced - please open a feature request on our bugzilla

 

[arteta]

But how else can I integrate my rules? by gui ?

 

[apavlidis]

Hello there @arteta , did you find any solution about persistence for your ebtables rules?
Cheers!

 

[Rhinox]

One more reason to switch finally to single common nftables, instead of {ip,ip6,arp,eb}tables.