Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#74552 - iptables-nft not compatible with virt-manager (libvirt)

Attached to Project: Arch Linux
Opened by gudvinr (gudvinr) - Monday, 25 April 2022, 00:06 GMT
Last edited by David Thurstenson (thurstylark) - Wednesday, 27 April 2022, 20:44 GMT
Task Type Bug Report
Category Packages: Core
Status Unassigned
Assigned To freswa (frederik)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description:

iptables-nft shipped with archlinux is not fully replaces iptables.
Which leads to virt-manager/libvirt not be able using its network capabilities.

Additional info:
core/iptables-nft 1:1.8.7-1
community/virt-manager 4.0.0-1

XML of default network configuration:
<network>
<name>default</name>
<uuid>0f702a9c-fb1d-4747-9e56-03497621e660</uuid>
<forward mode="nat"/>
<bridge name="virbr0" stp="on" delay="0"/>
<mac address="52:54:00:9e:34:24"/>
<ip address="192.168.122.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.122.2" end="192.168.122.254"/>
</dhcp>
</ip>
</network>

According to this libvirt issue iptables and iptables-nft both should work just fine in fedora:
https://www.spinics.net/linux/fedora/libvir/msg212287.html

This makes me think there's something wrong with iptables-nft in archlinux.

Steps to reproduce:
Try creating virtual machine (QEMU/KVM) with default network (NAT).

Get an error:

Could not start virtual network 'default': internal error: Failed to apply firewall rules /usr/bin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.



Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/device/netlist.py", line 208, in _check_network_is_running
netobj.start()
File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
ret = fn(self, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/object/network.py", line 69, in start
self._backend.create()
File "/usr/lib/python3.10/site-packages/libvirt.py", line 3474, in create
raise libvirtError('virNetworkCreate() failed')
libvirt.libvirtError: internal error: Failed to apply firewall rules /usr/bin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.
This task depends upon

Comment by freswa (frederik) - Monday, 25 April 2022, 15:45 GMT
After short investigation I found similar issues in other projects. Would you mind to create an issue upstream?
We packages the latest iptables-nft, so there is not much I can do on the packaging side.
Comment by Jonas Witschel (diabonas) - Monday, 25 April 2022, 16:25 GMT
Do you use nftables directly in parallel to iptables-nft? What is the output of "nft list ruleset"?

Loading...