Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'
2,368 views
Skip to first unread message
Benedikt Tuchen
Sep 12, 2021, 7:50:04 AM9/12/21
to
Package: libvirt-daemon
Version: 7.0.0-3
Severity: graves
Dear Maintainer,
while trying to create a new virtual network on a fresh Debian 11 install I get
the following error:
----
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 65, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/createnet.py", line 428, in _async_net_create
netobj.create()
File "/usr/lib/python3/dist-packages/libvirt.py", line 3436, in create
raise libvirtError('virNetworkCreate() failed')
libvirt.libvirtError: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table nat --list-rules: iptables v1.8.7 (nf_tables): table `nat' is incompatible, use 'nft' tool.
----
I've installed the following packages:
qemu-kvm qemu-system-x86 qemu-utils libvirt-daemon-system virt-manager virt-viewer
/usr/sbin/iptables is set in automode to /usr/sbin/iptables-nft via update-alternatives.
I've tried to create virtual network with virt-manager.
When trying to set the rule on commandline it fails with the same error.
If you need more information feel free to ask.
Regards,
Benedikt
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libvirt-daemon depends on:
ii libblkid1 2.36.1-8
ii libc6 2.31-13
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libgcc-s1 10.2.1-6
ii libglib2.0-0 2.66.8-1
ii libnetcf1 1:0.2.8-1.1
ii libparted2 3.4-1
ii libpcap0.8 1.10.0-2
ii libpciaccess0 0.16-1
ii libselinux1 3.1-3
ii libudev1 247.3-6
ii libvirt-daemon-driver-qemu 7.0.0-3
ii libvirt0 7.0.0-3
ii libxml2 2.9.10+dfsg-6.7
Versions of packages libvirt-daemon recommends:
ii libvirt-daemon-driver-lxc 7.0.0-3
ii libvirt-daemon-driver-vbox 7.0.0-3
ii libvirt-daemon-driver-xen 7.0.0-3
ii libxml2-utils 2.9.10+dfsg-6.7
ii netcat-openbsd 1.217-3
ii qemu-system-x86 [qemu-kvm] 1:5.2+dfsg-11
Versions of packages libvirt-daemon suggests:
pn libvirt-daemon-driver-storage-gluster <none>
pn libvirt-daemon-driver-storage-iscsi-direct <none>
pn libvirt-daemon-driver-storage-rbd <none>
pn libvirt-daemon-driver-storage-zfs <none>
ii libvirt-daemon-system 7.0.0-3
pn numad <none>
-- no debconf information
Version: 7.0.0-3
Severity: graves
Dear Maintainer,
while trying to create a new virtual network on a fresh Debian 11 install I get
the following error:
----
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 65, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/createnet.py", line 428, in _async_net_create
netobj.create()
File "/usr/lib/python3/dist-packages/libvirt.py", line 3436, in create
raise libvirtError('virNetworkCreate() failed')
libvirt.libvirtError: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table nat --list-rules: iptables v1.8.7 (nf_tables): table `nat' is incompatible, use 'nft' tool.
----
I've installed the following packages:
qemu-kvm qemu-system-x86 qemu-utils libvirt-daemon-system virt-manager virt-viewer
/usr/sbin/iptables is set in automode to /usr/sbin/iptables-nft via update-alternatives.
I've tried to create virtual network with virt-manager.
When trying to set the rule on commandline it fails with the same error.
If you need more information feel free to ask.
Regards,
Benedikt
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libvirt-daemon depends on:
ii libblkid1 2.36.1-8
ii libc6 2.31-13
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libgcc-s1 10.2.1-6
ii libglib2.0-0 2.66.8-1
ii libnetcf1 1:0.2.8-1.1
ii libparted2 3.4-1
ii libpcap0.8 1.10.0-2
ii libpciaccess0 0.16-1
ii libselinux1 3.1-3
ii libudev1 247.3-6
ii libvirt-daemon-driver-qemu 7.0.0-3
ii libvirt0 7.0.0-3
ii libxml2 2.9.10+dfsg-6.7
Versions of packages libvirt-daemon recommends:
ii libvirt-daemon-driver-lxc 7.0.0-3
ii libvirt-daemon-driver-vbox 7.0.0-3
ii libvirt-daemon-driver-xen 7.0.0-3
ii libxml2-utils 2.9.10+dfsg-6.7
ii netcat-openbsd 1.217-3
ii qemu-system-x86 [qemu-kvm] 1:5.2+dfsg-11
Versions of packages libvirt-daemon suggests:
pn libvirt-daemon-driver-storage-gluster <none>
pn libvirt-daemon-driver-storage-iscsi-direct <none>
pn libvirt-daemon-driver-storage-rbd <none>
pn libvirt-daemon-driver-storage-zfs <none>
ii libvirt-daemon-system 7.0.0-3
pn numad <none>
-- no debconf information
Guido Günther
Sep 13, 2021, 2:40:03 AM9/13/21
to
Hi,
-- Guido
> _______________________________________________
> Pkg-libvirt-maintainers mailing list
> Pkg-libvirt...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers
On Sun, Sep 12, 2021 at 01:40:58PM +0200, Benedikt Tuchen wrote:
> Package: libvirt-daemon
> Version: 7.0.0-3
> Severity: graves
>
> Dear Maintainer,
>
> while trying to create a new virtual network on a fresh Debian 11 install I get
> the following error:
>
> ----
> Traceback (most recent call last):
> File "/usr/share/virt-manager/virtManager/asyncjob.py", line 65, in cb_wrapper
> callback(asyncjob, *args, **kwargs)
> File "/usr/share/virt-manager/virtManager/createnet.py", line 428, in _async_net_create
> netobj.create()
> File "/usr/lib/python3/dist-packages/libvirt.py", line 3436, in create
> raise libvirtError('virNetworkCreate() failed')
> libvirt.libvirtError: internal error: Failed to apply firewall rules
> /usr/sbin/iptables -w --table nat --list-rules: iptables v1.8.7
> (nf_tables): table `nat' is incompatible, use 'nft' tool.
Do you have nftables installed?
> Package: libvirt-daemon
> Version: 7.0.0-3
> Severity: graves
>
> Dear Maintainer,
>
> while trying to create a new virtual network on a fresh Debian 11 install I get
> the following error:
>
> ----
> Traceback (most recent call last):
> File "/usr/share/virt-manager/virtManager/asyncjob.py", line 65, in cb_wrapper
> callback(asyncjob, *args, **kwargs)
> File "/usr/share/virt-manager/virtManager/createnet.py", line 428, in _async_net_create
> netobj.create()
> File "/usr/lib/python3/dist-packages/libvirt.py", line 3436, in create
> raise libvirtError('virNetworkCreate() failed')
> libvirt.libvirtError: internal error: Failed to apply firewall rules
> /usr/sbin/iptables -w --table nat --list-rules: iptables v1.8.7
> (nf_tables): table `nat' is incompatible, use 'nft' tool.
-- Guido
> Pkg-libvirt-maintainers mailing list
> Pkg-libvirt...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers
Benedikt Tuchen
Sep 13, 2021, 3:10:03 AM9/13/21
to
Hello Guido,
On Mon, Sep 13, 2021 at 08:32:57AM +0200, Guido Günther wrote:
> Do you have nftables installed?
> -- Guido
>
Yes, I do have nftables installed and I also enabled the systemd
service.
I've also tested nftables with a configuration and it worked without
a problem.
FYI: With the same setup it worked on Debian Buster.
Regards,
Benedikt
On Mon, Sep 13, 2021 at 08:32:57AM +0200, Guido Günther wrote:
> Do you have nftables installed?
> -- Guido
>
service.
I've also tested nftables with a configuration and it worked without
a problem.
FYI: With the same setup it worked on Debian Buster.
Regards,
Benedikt
James Youngman
Oct 11, 2021, 6:10:04 PM10/11/21
to
Package: libvirt-daemon
Version: 7.0.0-3
Followup-For: Bug #994127
I also find (after upgrade from buster to bullseye) that my default
network will no longer start:
jupiter:~$ sudo virsh net-list --all
Name State Autostart Persistent
-----------------------------------------------
default inactive yes yes
ipv6-net inactive yes yes
jupiter:~$ sudo virsh net-info default
Name: default
UUID: b5472d74-d362-4d85-900c-14959e3dfd35
Active: no
Persistent: yes
Autostart: yes
Bridge: virbr0
jupiter:~$ sudo virsh net-start default
error: Failed to start network default
error: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.
jupiter:~$ dpkg -l nftables iptables
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-==============================================================
ii iptables 1.8.7-1 amd64 administration tools for packet filtering and NAT
ii nftables 0.9.8-3.1 amd64 Program to control packet filtering rules by Netfilter project
jupiter:~$ readlink -f /usr/sbin/iptables
/usr/sbin/xtables-nft-multi
jupiter:~$ update-alternatives --display iptables
iptables - auto mode
link best version is /usr/sbin/iptables-nft
link currently points to /usr/sbin/iptables-nft
link iptables is /usr/sbin/iptables
slave iptables-restore is /usr/sbin/iptables-restore
slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-legacy - priority 10
slave iptables-restore: /usr/sbin/iptables-legacy-restore
slave iptables-save: /usr/sbin/iptables-legacy-save
/usr/sbin/iptables-nft - priority 20
slave iptables-restore: /usr/sbin/iptables-nft-restore
slave iptables-save: /usr/sbin/iptables-nft-save
jupiter:~$ ls -l /usr/sbin/iptables /etc/alternatives/iptables /usr/sbin/iptables-nft /usr/sbin/xtables-nft-multi
lrwxrwxrwx 1 root root 22 Jul 10 2019 /etc/alternatives/iptables -> /usr/sbin/iptables-nft
lrwxrwxrwx 1 root root 26 Jul 10 2019 /usr/sbin/iptables -> /etc/alternatives/iptables
lrwxrwxrwx 1 root root 17 Jan 17 2021 /usr/sbin/iptables-nft -> xtables-nft-multi
-rwxr-xr-x 1 root root 220232 Jan 17 2021 /usr/sbin/xtables-nft-multi
It appears that moving the alternative doesn't fix the problem. A
bit confusingly, the command shown, if I run it manually, appears to
work:
jupiter:~$ sudo virsh net-start default
error: Failed to start network default
error: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.
jupiter:~$ sudo /usr/sbin/iptables -w --table filter --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
jupiter:~$ echo $?
0
Though of course, that doesn't get my VMs booted. None of my guest
VMs can start. This is a significant problem for me.
-- System Information:
Debian Release: 11.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en
Shell: /bin/sh linked to /bin/dash
Version: 7.0.0-3
Followup-For: Bug #994127
I also find (after upgrade from buster to bullseye) that my default
network will no longer start:
jupiter:~$ sudo virsh net-list --all
Name State Autostart Persistent
-----------------------------------------------
default inactive yes yes
ipv6-net inactive yes yes
jupiter:~$ sudo virsh net-info default
Name: default
UUID: b5472d74-d362-4d85-900c-14959e3dfd35
Active: no
Persistent: yes
Autostart: yes
Bridge: virbr0
jupiter:~$ sudo virsh net-start default
error: Failed to start network default
error: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.
jupiter:~$ dpkg -l nftables iptables
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-==============================================================
ii iptables 1.8.7-1 amd64 administration tools for packet filtering and NAT
ii nftables 0.9.8-3.1 amd64 Program to control packet filtering rules by Netfilter project
jupiter:~$ readlink -f /usr/sbin/iptables
/usr/sbin/xtables-nft-multi
jupiter:~$ update-alternatives --display iptables
iptables - auto mode
link best version is /usr/sbin/iptables-nft
link currently points to /usr/sbin/iptables-nft
link iptables is /usr/sbin/iptables
slave iptables-restore is /usr/sbin/iptables-restore
slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-legacy - priority 10
slave iptables-restore: /usr/sbin/iptables-legacy-restore
slave iptables-save: /usr/sbin/iptables-legacy-save
/usr/sbin/iptables-nft - priority 20
slave iptables-restore: /usr/sbin/iptables-nft-restore
slave iptables-save: /usr/sbin/iptables-nft-save
jupiter:~$ ls -l /usr/sbin/iptables /etc/alternatives/iptables /usr/sbin/iptables-nft /usr/sbin/xtables-nft-multi
lrwxrwxrwx 1 root root 22 Jul 10 2019 /etc/alternatives/iptables -> /usr/sbin/iptables-nft
lrwxrwxrwx 1 root root 26 Jul 10 2019 /usr/sbin/iptables -> /etc/alternatives/iptables
lrwxrwxrwx 1 root root 17 Jan 17 2021 /usr/sbin/iptables-nft -> xtables-nft-multi
-rwxr-xr-x 1 root root 220232 Jan 17 2021 /usr/sbin/xtables-nft-multi
It appears that moving the alternative doesn't fix the problem. A
bit confusingly, the command shown, if I run it manually, appears to
work:
jupiter:~$ sudo virsh net-start default
error: Failed to start network default
error: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.
jupiter:~$ sudo /usr/sbin/iptables -w --table filter --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
jupiter:~$ echo $?
0
Though of course, that doesn't get my VMs booted. None of my guest
VMs can start. This is a significant problem for me.
-- System Information:
Debian Release: 11.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libvirt-daemon depends on:
ii libblkid1 2.36.1-8
ii libc6 2.31-13+deb11u2
LSM: AppArmor: enabled
Versions of packages libvirt-daemon depends on:
ii libblkid1 2.36.1-8
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libgcc-s1 10.2.1-6
ii libglib2.0-0 2.66.8-1
ii libnetcf1 1:0.2.8-1.1
ii libparted2 3.4-1
ii libpcap0.8 1.10.0-2
ii libpciaccess0 0.16-1
ii libselinux1 3.1-3
ii libudev1 247.3-6
ii libvirt-daemon-driver-qemu 7.0.0-3
ii libvirt0 7.0.0-3
ii libxml2 2.9.10+dfsg-6.7
Versions of packages libvirt-daemon recommends:
ii libvirt-daemon-driver-lxc 7.0.0-3
ii libvirt-daemon-driver-vbox 7.0.0-3
ii libvirt-daemon-driver-xen 7.0.0-3
ii libxml2-utils 2.9.10+dfsg-6.7
ii netcat-openbsd 1.217-3
ii qemu-system-x86 [qemu-kvm] 1:5.2+dfsg-11+deb11u1
ii libgcc-s1 10.2.1-6
ii libglib2.0-0 2.66.8-1
ii libnetcf1 1:0.2.8-1.1
ii libparted2 3.4-1
ii libpcap0.8 1.10.0-2
ii libpciaccess0 0.16-1
ii libselinux1 3.1-3
ii libudev1 247.3-6
ii libvirt-daemon-driver-qemu 7.0.0-3
ii libvirt0 7.0.0-3
ii libxml2 2.9.10+dfsg-6.7
Versions of packages libvirt-daemon recommends:
ii libvirt-daemon-driver-lxc 7.0.0-3
ii libvirt-daemon-driver-vbox 7.0.0-3
ii libvirt-daemon-driver-xen 7.0.0-3
ii libxml2-utils 2.9.10+dfsg-6.7
ii netcat-openbsd 1.217-3
Laurent Baillet
Nov 10, 2021, 3:00:03 AM11/10/21
to
Hello
I was faced to the same problem after a Buster to Bullseye upgrade. The same commands as you returned the same results.
After a week of unsuccessful attempts, I have been able to get my VM back and apparently without regression by removing
- all my *qemu* *libvirt* *iptables* *nftables* named packages
- my DHCP client packages
- my orphaned packages (several runs)
If it can help someone...
Regards
Tim Small
Jul 28, 2022, 3:40:03 AM7/28/22
to
The following fix worked for me:
apt-get remove --purge `deborphan`
dpkg -l '*virt*' | grep ^ii | awk '{ print $2 }' | xargs dpkg-reconfigure
It's possible that just the final line on its own would have worked (and
probably a subset of those packages too), but I didn't try that.
Tim.
apt-get remove --purge `deborphan`
dpkg -l '*virt*' | grep ^ii | awk '{ print $2 }' | xargs dpkg-reconfigure
It's possible that just the final line on its own would have worked (and
probably a subset of those packages too), but I didn't try that.
Tim.
0 new messages