Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#74552 - iptables-nft not compatible with virt-manager (libvirt)

Attached to Project: Arch Linux
Opened by gudvinr (gudvinr) - Monday, 25 April 2022, 00:06 GMT
Last edited by Toolybird (Toolybird) - Tuesday, 18 October 2022, 05:09 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To freswa (frederik)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



iptables-nft shipped with archlinux is not fully replaces iptables.
Which leads to virt-manager/libvirt not be able using its network capabilities.

Additional info:
core/iptables-nft 1:1.8.7-1
community/virt-manager 4.0.0-1

XML of default network configuration:
<forward mode="nat"/>
<bridge name="virbr0" stp="on" delay="0"/>
<mac address="52:54:00:9e:34:24"/>
<ip address="" netmask="">
<range start="" end=""/>

According to this libvirt issue iptables and iptables-nft both should work just fine in fedora:

This makes me think there's something wrong with iptables-nft in archlinux.

Steps to reproduce:
Try creating virtual machine (QEMU/KVM) with default network (NAT).

Get an error:

Could not start virtual network 'default': internal error: Failed to apply firewall rules /usr/bin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.

Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/device/", line 208, in _check_network_is_running
File "/usr/share/virt-manager/virtManager/object/", line 57, in newfn
ret = fn(self, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/object/", line 69, in start
File "/usr/lib/python3.10/site-packages/", line 3474, in create
raise libvirtError('virNetworkCreate() failed')
libvirt.libvirtError: internal error: Failed to apply firewall rules /usr/bin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.
This task depends upon

Closed by  Toolybird (Toolybird)
Tuesday, 18 October 2022, 05:09 GMT
Reason for closing:  Works for me
Comment by freswa (frederik) - Monday, 25 April 2022, 15:45 GMT
After short investigation I found similar issues in other projects. Would you mind to create an issue upstream?
We packages the latest iptables-nft, so there is not much I can do on the packaging side.
Comment by Jonas Witschel (diabonas) - Monday, 25 April 2022, 16:25 GMT
Do you use nftables directly in parallel to iptables-nft? What is the output of "nft list ruleset"?
Comment by Toolybird (Toolybird) - Tuesday, 18 October 2022, 05:09 GMT
Cannot repro. I have a NAT network for libvirt (XML exactly as above but different MAC address) and also iptables-nft installed as per the wiki [1]. All works fine.