Page 1 of 1

ebtables rules limit

Posted: 2018/10/25 06:55:43
by mgnhost
Hello,

How do I increase the number of rules supported by ebtables?
Now in the number of rules more than 500 it falls.

Re: ebtables rules limit

Posted: 2018/10/25 09:29:52
by TrevorH
Does it give any error messages?

Re: ebtables rules limit

Posted: 2018/10/25 10:01:38
by mgnhost
In /var/log/libvirt/libvirtd.log:

2018-10-23 12:20:04.655+0000: 2910: error : virCommandWait:2319 : internal error Child process (/bin/sh -c 'EBT="/sbin/ebtables"
cmd='\''$EBT -t nat -F J-vnet47-mac'\''
eval res=\$\("${cmd} 2>&1"\)
cmd='\''$EBT -t nat -X J-vnet47-mac'\''
eval res=\$\("${cmd} 2>&1"\)
cmd='\''$EBT -t nat -N J-vnet47-mac'\''
eval res=\$\("${cmd} 2>&1"\)
if [ $? -ne 0 ]; then echo "Failure to execute command '\''${cmd}'\'' : '\''${res}'\''."; exit 1;fi
cmd='\''$EBT -t nat -A libvirt-J-vnet47 -j J-vnet47-mac'\''
eval res=\$\("${cmd} 2>&1"\)
if [ $? -ne 0 ]; then echo "Failure to execute command '\''${cmd}'\'' : '\''${res}'\''."; exit 1;fi

if [ $? -ne 0 ]; then echo "Failure to execute command '\''${cmd}'\'' : '\''${res}'\''."; exit 1;fi
cmd='\''$EBT -t nat -F J-vnet47-ipv4-ip'\''
eval res=\$\("${cmd} 2>&1"\)
cmd='\''$EBT -t nat -X J-vnet47-ipv4-ip'\''
eval res=\$\("${cmd} 2>&1"\)
cmd='\''$EBT -t nat -N J-vnet47-ipv4-ip'\''
eval res=\$\("${cmd} 2>&1"\)
if [ $? -ne 0 ]; then echo "Failure to execute command '\''${cmd}'\'' : '\''${res}'\''."; exit 1;fi
cmd='\''$EBT -t nat -A libvirt-J-vnet47 -p 0x080
2018-10-23 12:20:04.770+0000: 2910: error : ebiptablesApplyNewRules:3935 : Error while building firewall: Some rules could not be created for interface vnet47:

Re: ebtables rules limit

Posted: 2018/10/25 10:09:13
by TrevorH
If you try to run /sbin/ebtables -t nat -F J-vnet47-mac manually, does it give any better info? Or is there something logged in /var/log/messsages and/or dmesg when this happens?

Re: ebtables rules limit

Posted: 2018/10/30 16:08:32
by mgnhost
TrevorH wrote:
2018/10/25 10:09:13
If you try to run /sbin/ebtables -t nat -F J-vnet47-mac manually, does it give any better info? Or is there something logged in /var/log/messsages and/or dmesg when this happens?
Chain 'J-vnet47-mac' doesn't exist

Re: ebtables rules limit

Posted: 2018/10/30 16:35:38
by TrevorH
I'm presuming that that name is dependent on what VMs you have running at the time - vnet47 belongs to a VM with id 47 f.e.

Re: ebtables rules limit

Posted: 2018/10/30 18:13:00
by mgnhost
Yes, this is the VDS virtual interface.

Re: ebtables rules limit

Posted: 2018/10/30 18:22:37
by TrevorH
So I'd guess you need to try to add a rule for a VM that's actually running at the time.

Re: ebtables rules limit

Posted: 2018/10/30 18:32:40
by mgnhost
With a large number of IP, VDS does not start.
See: https://bugs.centos.org/view.php?id=15383