subject:"Bug#994127\: libvirt\-daemon\: Error creating virtual network \- iptables \(nf_tables\) table `nat' is incompatible, use 'nft'"

Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'

2021-11-09 Thread Laurent Baillet

Hello

I was faced to the same problem after a Buster to Bullseye upgrade. The
same commands as you returned the same results.

After a week of unsuccessful attempts, I have been able to get my VM back
and apparently without regression by removing

   - all my *qemu* *libvirt* *iptables* *nftables* named packages
   - my DHCP client packages
   - my orphaned packages (several runs)

After that, I reinstalled them, nftables after all the other ones.

If it can help someone...

Regards

On Tue, Oct 12, 2021 at 12:03 AM James Youngman  wrote:

> Package: libvirt-daemon
> Version: 7.0.0-3
> Followup-For: Bug #994127
>
> I also find (after upgrade from buster to bullseye) that my default
> network will no longer start:
>
> jupiter:~$ sudo virsh net-list --all
>  Name   State  Autostart   Persistent
> ---
>  defaultinactive   yes yes
>  ipv6-net   inactive   yes yes
>
> jupiter:~$ sudo virsh net-info default
> Name:   default
> UUID:   b5472d74-d362-4d85-900c-14959e3dfd35
> Active: no
> Persistent: yes
> Autostart:  yes
> Bridge: virbr0
>
> jupiter:~$ sudo virsh net-start default
> error: Failed to start network default
> error: internal error: Failed to apply firewall rules /usr/sbin/iptables
> -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter'
> is incompatible, use 'nft' tool.
>
>
> jupiter:~$ dpkg -l nftables iptables
> Desired=Unknown/Install/Remove/Purge/Hold
> |
> Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name   Version  Architecture Description
>
> +++-==---==
> ii  iptables   1.8.7-1  amd64administration tools for
> packet filtering and NAT
> ii  nftables   0.9.8-3.1amd64Program to control packet
> filtering rules by Netfilter project
> jupiter:~$ readlink -f /usr/sbin/iptables
> /usr/sbin/xtables-nft-multi
> jupiter:~$  update-alternatives --display iptables
> iptables - auto mode
>   link best version is /usr/sbin/iptables-nft
>   link currently points to /usr/sbin/iptables-nft
>   link iptables is /usr/sbin/iptables
>   slave iptables-restore is /usr/sbin/iptables-restore
>   slave iptables-save is /usr/sbin/iptables-save
> /usr/sbin/iptables-legacy - priority 10
>   slave iptables-restore: /usr/sbin/iptables-legacy-restore
>   slave iptables-save: /usr/sbin/iptables-legacy-save
> /usr/sbin/iptables-nft - priority 20
>   slave iptables-restore: /usr/sbin/iptables-nft-restore
>   slave iptables-save: /usr/sbin/iptables-nft-save
> jupiter:~$ ls -l /usr/sbin/iptables   /etc/alternatives/iptables
> /usr/sbin/iptables-nft /usr/sbin/xtables-nft-multi
> lrwxrwxrwx 1 root root 22 Jul 10  2019 /etc/alternatives/iptables ->
> /usr/sbin/iptables-nft
> lrwxrwxrwx 1 root root 26 Jul 10  2019 /usr/sbin/iptables ->
> /etc/alternatives/iptables
> lrwxrwxrwx 1 root root 17 Jan 17  2021 /usr/sbin/iptables-nft ->
> xtables-nft-multi
> -rwxr-xr-x 1 root root 220232 Jan 17  2021 /usr/sbin/xtables-nft-multi
>
> It appears that moving the alternative doesn't fix the problem.   A
> bit confusingly, the command shown, if I run it manually, appears to
> work:
>
> jupiter:~$ sudo virsh net-start default
> error: Failed to start network default
> error: internal error: Failed to apply firewall rules /usr/sbin/iptables
> -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter'
> is incompatible, use 'nft' tool.
>
>
>
> jupiter:~$ sudo /usr/sbin/iptables -w --table filter --list-rules
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> jupiter:~$ echo $?
> 0
>
> Though of course, that doesn't get my VMs booted.  None of my guest
> VMs can start.  This is a significant problem for me.
>
> -- System Information:
> Debian Release: 11.1
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
> 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-9-amd64 (SMP w/12 CPU threads)
> Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN,
> TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
> Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_IE:en
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages libvirt-daemon depends on:
> ii  libblkid1   2.36.1-8
> ii  libc6   2.31-13+deb11u2
> ii  libdevmapper1.02.1  2:1.02.175-2.1
> ii  libgcc-s1   10.2.1-6
> ii  libglib2.0-02.66.8-1
> ii  libnetcf1   1:0.2.8-1.1
> ii  libparted2  3.4-1
> ii  libpcap0.8  1.10.0-2
> ii  libpciaccess0   0.16-1
> ii  libselinux1 3.1-3
> ii  libudev1

Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'

2021-10-11 Thread James Youngman

Package: libvirt-daemon
Version: 7.0.0-3
Followup-For: Bug #994127

I also find (after upgrade from buster to bullseye) that my default
network will no longer start:

jupiter:~$ sudo virsh net-list --all
 Name   State  Autostart   Persistent
---
 defaultinactive   yes yes
 ipv6-net   inactive   yes yes

jupiter:~$ sudo virsh net-info default
Name:   default
UUID:   b5472d74-d362-4d85-900c-14959e3dfd35
Active: no
Persistent: yes
Autostart:  yes
Bridge: virbr0

jupiter:~$ sudo virsh net-start default
error: Failed to start network default
error: internal error: Failed to apply firewall rules /usr/sbin/iptables -w 
--table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is 
incompatible, use 'nft' tool.


jupiter:~$ dpkg -l nftables iptables
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name   Version  Architecture Description
+++-==---==
ii  iptables   1.8.7-1  amd64administration tools for packet 
filtering and NAT
ii  nftables   0.9.8-3.1amd64Program to control packet 
filtering rules by Netfilter project
jupiter:~$ readlink -f /usr/sbin/iptables
/usr/sbin/xtables-nft-multi
jupiter:~$  update-alternatives --display iptables
iptables - auto mode
  link best version is /usr/sbin/iptables-nft
  link currently points to /usr/sbin/iptables-nft
  link iptables is /usr/sbin/iptables
  slave iptables-restore is /usr/sbin/iptables-restore
  slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-legacy - priority 10
  slave iptables-restore: /usr/sbin/iptables-legacy-restore
  slave iptables-save: /usr/sbin/iptables-legacy-save
/usr/sbin/iptables-nft - priority 20
  slave iptables-restore: /usr/sbin/iptables-nft-restore
  slave iptables-save: /usr/sbin/iptables-nft-save
jupiter:~$ ls -l /usr/sbin/iptables   /etc/alternatives/iptables 
/usr/sbin/iptables-nft /usr/sbin/xtables-nft-multi
lrwxrwxrwx 1 root root 22 Jul 10  2019 /etc/alternatives/iptables -> 
/usr/sbin/iptables-nft
lrwxrwxrwx 1 root root 26 Jul 10  2019 /usr/sbin/iptables -> 
/etc/alternatives/iptables
lrwxrwxrwx 1 root root 17 Jan 17  2021 /usr/sbin/iptables-nft -> 
xtables-nft-multi
-rwxr-xr-x 1 root root 220232 Jan 17  2021 /usr/sbin/xtables-nft-multi

It appears that moving the alternative doesn't fix the problem.   A
bit confusingly, the command shown, if I run it manually, appears to
work:

jupiter:~$ sudo virsh net-start default
error: Failed to start network default
error: internal error: Failed to apply firewall rules /usr/sbin/iptables -w 
--table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is 
incompatible, use 'nft' tool.



jupiter:~$ sudo /usr/sbin/iptables -w --table filter --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
jupiter:~$ echo $?
0

Though of course, that doesn't get my VMs booted.  None of my guest
VMs can start.  This is a significant problem for me.

-- System Information:
Debian Release: 11.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-9-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_IE:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon depends on:
ii  libblkid1   2.36.1-8
ii  libc6   2.31-13+deb11u2
ii  libdevmapper1.02.1  2:1.02.175-2.1
ii  libgcc-s1   10.2.1-6
ii  libglib2.0-02.66.8-1
ii  libnetcf1   1:0.2.8-1.1
ii  libparted2  3.4-1
ii  libpcap0.8  1.10.0-2
ii  libpciaccess0   0.16-1
ii  libselinux1 3.1-3
ii  libudev1247.3-6
ii  libvirt-daemon-driver-qemu  7.0.0-3
ii  libvirt07.0.0-3
ii  libxml2 2.9.10+dfsg-6.7

Versions of packages libvirt-daemon recommends:
ii  libvirt-daemon-driver-lxc   7.0.0-3
ii  libvirt-daemon-driver-vbox  7.0.0-3
ii  libvirt-daemon-driver-xen   7.0.0-3
ii  libxml2-utils   2.9.10+dfsg-6.7
ii  netcat-openbsd  1.217-3
ii  qemu-system-x86 [qemu-kvm]  1:5.2+dfsg-11+deb11u1

Versions of packages libvirt-daemon suggests:
pn  libvirt-daemon-driver-storage-gluster   
pn  libvirt-daemon-driver-storage-iscsi-direct  
pn  libvirt-daemon-driver-storage-rbd   
pn  libvirt-daemon-driver-storage-zfs   
ii  libvirt-daemon-system

Bug#994127: [Pkg-libvirt-maintainers] Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'

2021-09-13 Thread Benedikt Tuchen

Hello Guido,

On Mon, Sep 13, 2021 at 08:32:57AM +0200, Guido Günther wrote:
> Do you have nftables installed?
>  -- Guido
> 

Yes, I do have nftables installed and I also enabled the systemd
service.

I've also tested nftables with a configuration and it worked without
a problem.

FYI: With the same setup it worked on Debian Buster.

Regards,
Benedikt

signature.asc
Description: PGP signature

Bug#994127: [Pkg-libvirt-maintainers] Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'

2021-09-13 Thread Guido Günther

Hi,
On Sun, Sep 12, 2021 at 01:40:58PM +0200, Benedikt Tuchen wrote:
> Package: libvirt-daemon
> Version: 7.0.0-3
> Severity: graves
> 
> Dear Maintainer,
> 
> while trying to create a new virtual network on a fresh Debian 11 install I 
> get
> the following error:
> 
> 
> Traceback (most recent call last):
>   File "/usr/share/virt-manager/virtManager/asyncjob.py", line 65, in 
> cb_wrapper
> callback(asyncjob, *args, **kwargs)
>   File "/usr/share/virt-manager/virtManager/createnet.py", line 428, in 
> _async_net_create
> netobj.create()
>   File "/usr/lib/python3/dist-packages/libvirt.py", line 3436, in create
> raise libvirtError('virNetworkCreate() failed')
> libvirt.libvirtError: internal error: Failed to apply firewall rules
> /usr/sbin/iptables -w --table nat --list-rules: iptables v1.8.7
> (nf_tables): table `nat' is incompatible, use 'nft' tool.

Do you have nftables installed?
 -- Guido

> 
> 
> I've installed the following packages:
> qemu-kvm qemu-system-x86 qemu-utils libvirt-daemon-system virt-manager 
> virt-viewer
> 
> /usr/sbin/iptables is set in automode to /usr/sbin/iptables-nft via 
> update-alternatives.
> 
> I've tried to create virtual network with virt-manager.
> 
> When trying to set the rule on commandline it fails with the same error.
> 
> If you need more information feel free to ask.
> 
> Regards,
> Benedikt
> 
> -- System Information:
> Debian Release: 11.0
>   APT prefers stable-security
>   APT policy: (500, 'stable-security'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
> Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
> TAINT_UNSIGNED_MODULE
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not 
> set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages libvirt-daemon depends on:
> ii  libblkid1   2.36.1-8
> ii  libc6   2.31-13
> ii  libdevmapper1.02.1  2:1.02.175-2.1
> ii  libgcc-s1   10.2.1-6
> ii  libglib2.0-02.66.8-1
> ii  libnetcf1   1:0.2.8-1.1
> ii  libparted2  3.4-1
> ii  libpcap0.8  1.10.0-2
> ii  libpciaccess0   0.16-1
> ii  libselinux1 3.1-3
> ii  libudev1247.3-6
> ii  libvirt-daemon-driver-qemu  7.0.0-3
> ii  libvirt07.0.0-3
> ii  libxml2 2.9.10+dfsg-6.7
> 
> Versions of packages libvirt-daemon recommends:
> ii  libvirt-daemon-driver-lxc   7.0.0-3
> ii  libvirt-daemon-driver-vbox  7.0.0-3
> ii  libvirt-daemon-driver-xen   7.0.0-3
> ii  libxml2-utils   2.9.10+dfsg-6.7
> ii  netcat-openbsd  1.217-3
> ii  qemu-system-x86 [qemu-kvm]  1:5.2+dfsg-11
> 
> Versions of packages libvirt-daemon suggests:
> pn  libvirt-daemon-driver-storage-gluster   
> pn  libvirt-daemon-driver-storage-iscsi-direct  
> pn  libvirt-daemon-driver-storage-rbd   
> pn  libvirt-daemon-driver-storage-zfs   
> ii  libvirt-daemon-system   7.0.0-3
> pn  numad   
> 
> -- no debconf information



> ___
> Pkg-libvirt-maintainers mailing list
> pkg-libvirt-maintain...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers

Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'

2021-09-12 Thread Benedikt Tuchen

Package: libvirt-daemon
Version: 7.0.0-3
Severity: graves

Dear Maintainer,

while trying to create a new virtual network on a fresh Debian 11 install I get
the following error:


Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 65, in cb_wrapper
callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/createnet.py", line 428, in 
_async_net_create
netobj.create()
  File "/usr/lib/python3/dist-packages/libvirt.py", line 3436, in create
raise libvirtError('virNetworkCreate() failed')
libvirt.libvirtError: internal error: Failed to apply firewall rules 
/usr/sbin/iptables -w --table nat --list-rules: iptables v1.8.7 (nf_tables): 
table `nat' is incompatible, use 'nft' tool.


I've installed the following packages:
qemu-kvm qemu-system-x86 qemu-utils libvirt-daemon-system virt-manager 
virt-viewer

/usr/sbin/iptables is set in automode to /usr/sbin/iptables-nft via 
update-alternatives.

I've tried to create virtual network with virt-manager.

When trying to set the rule on commandline it fails with the same error.

If you need more information feel free to ask.

Regards,
Benedikt

-- System Information:
Debian Release: 11.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon depends on:
ii  libblkid1   2.36.1-8
ii  libc6   2.31-13
ii  libdevmapper1.02.1  2:1.02.175-2.1
ii  libgcc-s1   10.2.1-6
ii  libglib2.0-02.66.8-1
ii  libnetcf1   1:0.2.8-1.1
ii  libparted2  3.4-1
ii  libpcap0.8  1.10.0-2
ii  libpciaccess0   0.16-1
ii  libselinux1 3.1-3
ii  libudev1247.3-6
ii  libvirt-daemon-driver-qemu  7.0.0-3
ii  libvirt07.0.0-3
ii  libxml2 2.9.10+dfsg-6.7

Versions of packages libvirt-daemon recommends:
ii  libvirt-daemon-driver-lxc   7.0.0-3
ii  libvirt-daemon-driver-vbox  7.0.0-3
ii  libvirt-daemon-driver-xen   7.0.0-3
ii  libxml2-utils   2.9.10+dfsg-6.7
ii  netcat-openbsd  1.217-3
ii  qemu-system-x86 [qemu-kvm]  1:5.2+dfsg-11

Versions of packages libvirt-daemon suggests:
pn  libvirt-daemon-driver-storage-gluster   
pn  libvirt-daemon-driver-storage-iscsi-direct  
pn  libvirt-daemon-driver-storage-rbd   
pn  libvirt-daemon-driver-storage-zfs   
ii  libvirt-daemon-system   7.0.0-3
pn  numad   

-- no debconf information


signature.asc
Description: PGP signature

Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'

Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'

Bug#994127: [Pkg-libvirt-maintainers] Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'

Bug#994127: [Pkg-libvirt-maintainers] Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'

Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'

5 matches

Site Navigation

Mail list logo

Footer information