[Pkg-libvirt-maintainers] Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'

James Youngman james at youngman.org
Mon Oct 11 22:54:50 BST 2021 

Package: libvirt-daemon
Version: 7.0.0-3
Followup-For: Bug #994127

I also find (after upgrade from buster to bullseye) that my default
network will no longer start:

jupiter:~$ sudo virsh net-list --all
 Name       State      Autostart   Persistent
-----------------------------------------------
 default    inactive   yes         yes
 ipv6-net   inactive   yes         yes

jupiter:~$ sudo virsh net-info default
Name:           default
UUID:           b5472d74-d362-4d85-900c-14959e3dfd35
Active:         no
Persistent:     yes
Autostart:      yes
Bridge:         virbr0

jupiter:~$ sudo virsh net-start default
error: Failed to start network default
error: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.


jupiter:~$ dpkg -l nftables iptables
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-==============================================================
ii  iptables       1.8.7-1      amd64        administration tools for packet filtering and NAT
ii  nftables       0.9.8-3.1    amd64        Program to control packet filtering rules by Netfilter project
jupiter:~$ readlink -f /usr/sbin/iptables
/usr/sbin/xtables-nft-multi
jupiter:~$  update-alternatives --display iptables
iptables - auto mode
  link best version is /usr/sbin/iptables-nft
  link currently points to /usr/sbin/iptables-nft
  link iptables is /usr/sbin/iptables
  slave iptables-restore is /usr/sbin/iptables-restore
  slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-legacy - priority 10
  slave iptables-restore: /usr/sbin/iptables-legacy-restore
  slave iptables-save: /usr/sbin/iptables-legacy-save
/usr/sbin/iptables-nft - priority 20
  slave iptables-restore: /usr/sbin/iptables-nft-restore
  slave iptables-save: /usr/sbin/iptables-nft-save
jupiter:~$ ls -l /usr/sbin/iptables   /etc/alternatives/iptables /usr/sbin/iptables-nft /usr/sbin/xtables-nft-multi
lrwxrwxrwx 1 root root     22 Jul 10  2019 /etc/alternatives/iptables -> /usr/sbin/iptables-nft
lrwxrwxrwx 1 root root     26 Jul 10  2019 /usr/sbin/iptables -> /etc/alternatives/iptables
lrwxrwxrwx 1 root root     17 Jan 17  2021 /usr/sbin/iptables-nft -> xtables-nft-multi
-rwxr-xr-x 1 root root 220232 Jan 17  2021 /usr/sbin/xtables-nft-multi

It appears that moving the alternative doesn't fix the problem.   A
bit confusingly, the command shown, if I run it manually, appears to
work:

jupiter:~$ sudo virsh net-start default
error: Failed to start network default
error: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.



jupiter:~$ sudo /usr/sbin/iptables -w --table filter --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
jupiter:~$ echo $?
0

Though of course, that doesn't get my VMs booted.  None of my guest
VMs can start.  This is a significant problem for me.

-- System Information:
Debian Release: 11.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-9-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon depends on:
ii  libblkid1                   2.36.1-8
ii  libc6                       2.31-13+deb11u2
ii  libdevmapper1.02.1          2:1.02.175-2.1
ii  libgcc-s1                   10.2.1-6
ii  libglib2.0-0                2.66.8-1
ii  libnetcf1                   1:0.2.8-1.1
ii  libparted2                  3.4-1
ii  libpcap0.8                  1.10.0-2
ii  libpciaccess0               0.16-1
ii  libselinux1                 3.1-3
ii  libudev1                    247.3-6
ii  libvirt-daemon-driver-qemu  7.0.0-3
ii  libvirt0                    7.0.0-3
ii  libxml2                     2.9.10+dfsg-6.7

Versions of packages libvirt-daemon recommends:
ii  libvirt-daemon-driver-lxc   7.0.0-3
ii  libvirt-daemon-driver-vbox  7.0.0-3
ii  libvirt-daemon-driver-xen   7.0.0-3
ii  libxml2-utils               2.9.10+dfsg-6.7
ii  netcat-openbsd              1.217-3
ii  qemu-system-x86 [qemu-kvm]  1:5.2+dfsg-11+deb11u1

Versions of packages libvirt-daemon suggests:
pn  libvirt-daemon-driver-storage-gluster       <none>
pn  libvirt-daemon-driver-storage-iscsi-direct  <none>
pn  libvirt-daemon-driver-storage-rbd           <none>
pn  libvirt-daemon-driver-storage-zfs           <none>
ii  libvirt-daemon-system                       7.0.0-3
pn  numad                                       <none>

-- no debconf information

More information about the Pkg-libvirt-maintainers mailing list