FS#74552 - iptables-nft not compatible with virt-manager (libvirt)

Attached to Project: Arch Linux
Opened by gudvinr (gudvinr) - Monday, 25 April 2022, 00:06 GMT
Last edited by Toolybird (Toolybird) - Tuesday, 18 October 2022, 05:09 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To freswa (frederik)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

iptables-nft shipped with archlinux is not fully replaces iptables.
Which leads to virt-manager/libvirt not be able using its network capabilities.

Additional info:
core/iptables-nft 1:1.8.7-1
community/virt-manager 4.0.0-1

XML of default network configuration:
<network>
<name>default</name>
<uuid>0f702a9c-fb1d-4747-9e56-03497621e660</uuid>
<forward mode="nat"/>
<bridge name="virbr0" stp="on" delay="0"/>
<mac address="52:54:00:9e:34:24"/>
<ip address="192.168.122.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.122.2" end="192.168.122.254"/>
</dhcp>
</ip>
</network>

According to this libvirt issue iptables and iptables-nft both should work just fine in fedora:
https://www.spinics.net/linux/fedora/libvir/msg212287.html

This makes me think there's something wrong with iptables-nft in archlinux.

Steps to reproduce:
Try creating virtual machine (QEMU/KVM) with default network (NAT).

Get an error:

Could not start virtual network 'default': internal error: Failed to apply firewall rules /usr/bin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.



Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/device/netlist.py", line 208, in _check_network_is_running
netobj.start()
File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
ret = fn(self, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/object/network.py", line 69, in start
self._backend.create()
File "/usr/lib/python3.10/site-packages/libvirt.py", line 3474, in create
raise libvirtError('virNetworkCreate() failed')
libvirt.libvirtError: internal error: Failed to apply firewall rules /usr/bin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.
This task depends upon

Closed by  Toolybird (Toolybird)
Tuesday, 18 October 2022, 05:09 GMT
Reason for closing:  Works for me
Comment by freswa (frederik) - Monday, 25 April 2022, 15:45 GMT
After short investigation I found similar issues in other projects. Would you mind to create an issue upstream?
We packages the latest iptables-nft, so there is not much I can do on the packaging side.
Comment by Jonas Witschel (diabonas) - Monday, 25 April 2022, 16:25 GMT
Do you use nftables directly in parallel to iptables-nft? What is the output of "nft list ruleset"?
Comment by Toolybird (Toolybird) - Tuesday, 18 October 2022, 05:09 GMT
Cannot repro. I have a NAT network for libvirt (XML exactly as above but different MAC address) and also iptables-nft installed as per the wiki [1]. All works fine.

[1] https://wiki.archlinux.org/title/Libvirt

Loading...