[Pkg-libvirt-maintainers] Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'
Laurent Baillet
laurent.baillet at gmail.com
Wed Nov 10 07:55:45 GMT 2021
Hello
I was faced to the same problem after a Buster to Bullseye upgrade. The
same commands as you returned the same results.
After a week of unsuccessful attempts, I have been able to get my VM back
and apparently without regression by removing
- all my *qemu* *libvirt* *iptables* *nftables* named packages
- my DHCP client packages
- my orphaned packages (several runs)
After that, I reinstalled them, nftables after all the other ones.
If it can help someone...
Regards
On Tue, Oct 12, 2021 at 12:03 AM James Youngman <james at youngman.org> wrote:
> Package: libvirt-daemon
> Version: 7.0.0-3
> Followup-For: Bug #994127
>
> I also find (after upgrade from buster to bullseye) that my default
> network will no longer start:
>
> jupiter:~$ sudo virsh net-list --all
> Name State Autostart Persistent
> -----------------------------------------------
> default inactive yes yes
> ipv6-net inactive yes yes
>
> jupiter:~$ sudo virsh net-info default
> Name: default
> UUID: b5472d74-d362-4d85-900c-14959e3dfd35
> Active: no
> Persistent: yes
> Autostart: yes
> Bridge: virbr0
>
> jupiter:~$ sudo virsh net-start default
> error: Failed to start network default
> error: internal error: Failed to apply firewall rules /usr/sbin/iptables
> -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter'
> is incompatible, use 'nft' tool.
>
>
> jupiter:~$ dpkg -l nftables iptables
> Desired=Unknown/Install/Remove/Purge/Hold
> |
> Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name Version Architecture Description
>
> +++-==============-============-============-==============================================================
> ii iptables 1.8.7-1 amd64 administration tools for
> packet filtering and NAT
> ii nftables 0.9.8-3.1 amd64 Program to control packet
> filtering rules by Netfilter project
> jupiter:~$ readlink -f /usr/sbin/iptables
> /usr/sbin/xtables-nft-multi
> jupiter:~$ update-alternatives --display iptables
> iptables - auto mode
> link best version is /usr/sbin/iptables-nft
> link currently points to /usr/sbin/iptables-nft
> link iptables is /usr/sbin/iptables
> slave iptables-restore is /usr/sbin/iptables-restore
> slave iptables-save is /usr/sbin/iptables-save
> /usr/sbin/iptables-legacy - priority 10
> slave iptables-restore: /usr/sbin/iptables-legacy-restore
> slave iptables-save: /usr/sbin/iptables-legacy-save
> /usr/sbin/iptables-nft - priority 20
> slave iptables-restore: /usr/sbin/iptables-nft-restore
> slave iptables-save: /usr/sbin/iptables-nft-save
> jupiter:~$ ls -l /usr/sbin/iptables /etc/alternatives/iptables
> /usr/sbin/iptables-nft /usr/sbin/xtables-nft-multi
> lrwxrwxrwx 1 root root 22 Jul 10 2019 /etc/alternatives/iptables ->
> /usr/sbin/iptables-nft
> lrwxrwxrwx 1 root root 26 Jul 10 2019 /usr/sbin/iptables ->
> /etc/alternatives/iptables
> lrwxrwxrwx 1 root root 17 Jan 17 2021 /usr/sbin/iptables-nft ->
> xtables-nft-multi
> -rwxr-xr-x 1 root root 220232 Jan 17 2021 /usr/sbin/xtables-nft-multi
>
> It appears that moving the alternative doesn't fix the problem. A
> bit confusingly, the command shown, if I run it manually, appears to
> work:
>
> jupiter:~$ sudo virsh net-start default
> error: Failed to start network default
> error: internal error: Failed to apply firewall rules /usr/sbin/iptables
> -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter'
> is incompatible, use 'nft' tool.
>
>
>
> jupiter:~$ sudo /usr/sbin/iptables -w --table filter --list-rules
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> jupiter:~$ echo $?
> 0
>
> Though of course, that doesn't get my VMs booted. None of my guest
> VMs can start. This is a significant problem for me.
>
> -- System Information:
> Debian Release: 11.1
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
> 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-9-amd64 (SMP w/12 CPU threads)
> Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN,
> TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_IE:en
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages libvirt-daemon depends on:
> ii libblkid1 2.36.1-8
> ii libc6 2.31-13+deb11u2
> ii libdevmapper1.02.1 2:1.02.175-2.1
> ii libgcc-s1 10.2.1-6
> ii libglib2.0-0 2.66.8-1
> ii libnetcf1 1:0.2.8-1.1
> ii libparted2 3.4-1
> ii libpcap0.8 1.10.0-2
> ii libpciaccess0 0.16-1
> ii libselinux1 3.1-3
> ii libudev1 247.3-6
> ii libvirt-daemon-driver-qemu 7.0.0-3
> ii libvirt0 7.0.0-3
> ii libxml2 2.9.10+dfsg-6.7
>
> Versions of packages libvirt-daemon recommends:
> ii libvirt-daemon-driver-lxc 7.0.0-3
> ii libvirt-daemon-driver-vbox 7.0.0-3
> ii libvirt-daemon-driver-xen 7.0.0-3
> ii libxml2-utils 2.9.10+dfsg-6.7
> ii netcat-openbsd 1.217-3
> ii qemu-system-x86 [qemu-kvm] 1:5.2+dfsg-11+deb11u1
>
> Versions of packages libvirt-daemon suggests:
> pn libvirt-daemon-driver-storage-gluster <none>
> pn libvirt-daemon-driver-storage-iscsi-direct <none>
> pn libvirt-daemon-driver-storage-rbd <none>
> pn libvirt-daemon-driver-storage-zfs <none>
> ii libvirt-daemon-system 7.0.0-3
> pn numad <none>
>
> -- no debconf information
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20211110/359d76eb/attachment.htm>
More information about the Pkg-libvirt-maintainers
mailing list