"ebtables-nft" MAC rule deletion failing

"ebtables-nft" is failing to delete the rule filtering by MAC address: Bridge chain: neutronMAC-test-veth024379, entries: 2, policy: DROP -i test-veth024379 --among-src fa:16:3e:47:87:0 -j RETURN -j DROP A workaround for this issue, that works with both "ebtables-nft" and "ebtables-legacy", is to flush the table and recreate the DROP rule. The MAC spoofing tables have two rules: the one filtering by MAC address and the default DROP rule. This workaround has the same effect as just deleting the filtering rule. Closes-Bug: #2038541 Change-Id: I38bd016c35d7a76d88c6eceec797d1cea84c45d1
2023-10-16 00:09:50 +00:00 · 2023-10-16 00:09:50 +00:00 · 1879d92533
commit 1879d92533
parent 55c20cdf1a
1 changed files with 3 additions and 1 deletions
--- a/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py
+++ b/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py
@ -201,7 +201,9 @@ def _delete_vif_mac_rules(vif, current_rules):
    chain = _mac_chain_name(vif)
    for rule in current_rules:
        if '-i %s' % vif in rule and '--among-src' in rule:
-            ebtables(['-D', chain] + rule.split())
+            # Flush the table and recreate the default DROP rule.
+            ebtables(['-F', chain])
+            ebtables(['-A', chain, '-j', 'DROP'])


 def _delete_mac_spoofing_protection(vifs, current_rules, table, chain):