It seems that the ARP filtering with ebtables introduced a bug: https://bugzilla.proxmox.com/show_bug.cgi?id=2193
After some digging, it turned out that the problem is that ebtables masks the provided arp-ip-src address. So while the provided rule looks like this: -A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.1/24 -j RETURN the output of ebtables-save looks like this: -A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.0/24 -j RETURN note the change from 1 to 0 for the IP address. This leads to different hashes and therefore the firewall service spams the log with errors, because of seemingly not applied rules. @Alexandre: Does the assumption is correct, that you simply want to allow only the one source ip, here 10.0.0.1? If so we should change the corresponding rule to one without CIDR suffix, e.g. -A veth100i0-OUT-ARP -p ARP --arp-ip-src 10.0.0.1 -j RETURN in which case ebtables does not mangle with the rule and the hash should be equal. Also, note that the $pve_ebtables_chainname_regex must probably be updated to include the -ARP suffix. If you want I can provide a patch for this, if your intention was different please let us know. --- Best regards, Christian Ebner _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
