From 73f9a31fa16cd75a6ac3eb17765c8335069156f5 Mon Sep 17 00:00:00 2001 From: Rodolfo Alonso Hernandez Date: Mon, 16 Oct 2023 00:09:50 +0000 Subject: [PATCH] "ebtables-nft" MAC rule deletion failing "ebtables-nft" is failing to delete the rule filtering by MAC address: Bridge chain: neutronMAC-test-veth024379, entries: 2, policy: DROP -i test-veth024379 --among-src fa:16:3e:47:87:0 -j RETURN -j DROP A workaround for this issue, that works with both "ebtables-nft" and "ebtables-legacy", is to flush the table and recreate the DROP rule. The MAC spoofing tables have two rules: the one filtering by MAC address and the default DROP rule. This workaround has the same effect as just deleting the filtering rule. Closes-Bug: #2038541 Change-Id: I38bd016c35d7a76d88c6eceec797d1cea84c45d1 (cherry picked from commit 1879d925330af5598a105a8893ab6cfda9dc37e6) (cherry picked from commit 7dbd06d66e4daebab90e4d334ae43013580e555a) --- neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py b/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py index fede638cb41..0c1b13be195 100644 --- a/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py +++ b/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py @@ -201,7 +201,9 @@ def _delete_vif_mac_rules(vif, current_rules): chain = _mac_chain_name(vif) for rule in current_rules: if '-i %s' % vif in rule and '--among-src' in rule: - ebtables(['-D', chain] + rule.split()) + # Flush the table and recreate the default DROP rule. + ebtables(['-F', chain]) + ebtables(['-A', chain, '-j', 'DROP']) def _delete_mac_spoofing_protection(vifs, current_rules, table, chain):