Containers not starting, ebtables error after switch to core20

All of a sudden today my LXD containers are not starting. When I try to start one, I get an error like this:

Error: Failed preparing container for start: Failed to start device "eth0": Failed to run: ebtables --concurrent -t filter -A INPUT -s ! 00:16:3e:eb:8e:62 -i vethd5bcd873 -j DROP: ERROR: No valid subcommand given.
Valid subcommands:
* iptables
* main4
* iptables-save
* save4
* iptables-restore
* restore4
* iptables-legacy
* iptables-legacy-save
* iptables-legacy-restore
* iptables-xml
* xml
* ip6tables
* main6
* ip6tables-save
* save6
* ip6tables-restore
* restore6
* ip6tables-legacy
* ip6tables-legacy-save
* ip6tables-legacy-restore
Try `lxc info --show-log nginx` for more info

The log is empty. Running on Ubuntu 20.04.2 with the latest LXD snap.

Any ideas? Thanks

Edit: the LXD snap version is 4.15. I notice that seemed to have been rolled out only yesterday. Maybe that is the issue? Can I roll back?

This is likely an issue with the recent switch to the core20 snap. As we’ve seen similar issues.

@stgraber is aware.

If you temporarily disable security.* settings on the container you should be able to start it.

OK I will try. I think from memory I only have the delete protection set. Thanks for the quick response.

Looks like security.mac_filtering is the problem

Got it. I do have that set on the eth0 device

Thanks @tomp, that solved it

Excellent.

A tentative fix for the snap package is building now

Cool. And yes I know it is time to move to nftables . I’ve actually prepared a translation of my rules but I’m just trying to figure out how I translate those rules in iptables that were relying on the br_netfilter module to filter traffic on my Linux bridge, to just using the nftables bridge family and not relying on the module. Off topic, but my struggles are documented here.