Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'
Hello I was faced to the same problem after a Buster to Bullseye upgrade. The same commands as you returned the same results. After a week of unsuccessful attempts, I have been able to get my VM back and apparently without regression by removing - all my *qemu* *libvirt* *iptables* *nftables* named packages - my DHCP client packages - my orphaned packages (several runs) After that, I reinstalled them, nftables after all the other ones. If it can help someone... Regards On Tue, Oct 12, 2021 at 12:03 AM James Youngman wrote: > Package: libvirt-daemon > Version: 7.0.0-3 > Followup-For: Bug #994127 > > I also find (after upgrade from buster to bullseye) that my default > network will no longer start: > > jupiter:~$ sudo virsh net-list --all > Name State Autostart Persistent > --- > defaultinactive yes yes > ipv6-net inactive yes yes > > jupiter:~$ sudo virsh net-info default > Name: default > UUID: b5472d74-d362-4d85-900c-14959e3dfd35 > Active: no > Persistent: yes > Autostart: yes > Bridge: virbr0 > > jupiter:~$ sudo virsh net-start default > error: Failed to start network default > error: internal error: Failed to apply firewall rules /usr/sbin/iptables > -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' > is incompatible, use 'nft' tool. > > > jupiter:~$ dpkg -l nftables iptables > Desired=Unknown/Install/Remove/Purge/Hold > | > Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) > ||/ Name Version Architecture Description > > +++-==---== > ii iptables 1.8.7-1 amd64administration tools for > packet filtering and NAT > ii nftables 0.9.8-3.1amd64Program to control packet > filtering rules by Netfilter project > jupiter:~$ readlink -f /usr/sbin/iptables > /usr/sbin/xtables-nft-multi > jupiter:~$ update-alternatives --display iptables > iptables - auto mode > link best version is /usr/sbin/iptables-nft > link currently points to /usr/sbin/iptables-nft > link iptables is /usr/sbin/iptables > slave iptables-restore is /usr/sbin/iptables-restore > slave iptables-save is /usr/sbin/iptables-save > /usr/sbin/iptables-legacy - priority 10 > slave iptables-restore: /usr/sbin/iptables-legacy-restore > slave iptables-save: /usr/sbin/iptables-legacy-save > /usr/sbin/iptables-nft - priority 20 > slave iptables-restore: /usr/sbin/iptables-nft-restore > slave iptables-save: /usr/sbin/iptables-nft-save > jupiter:~$ ls -l /usr/sbin/iptables /etc/alternatives/iptables > /usr/sbin/iptables-nft /usr/sbin/xtables-nft-multi > lrwxrwxrwx 1 root root 22 Jul 10 2019 /etc/alternatives/iptables -> > /usr/sbin/iptables-nft > lrwxrwxrwx 1 root root 26 Jul 10 2019 /usr/sbin/iptables -> > /etc/alternatives/iptables > lrwxrwxrwx 1 root root 17 Jan 17 2021 /usr/sbin/iptables-nft -> > xtables-nft-multi > -rwxr-xr-x 1 root root 220232 Jan 17 2021 /usr/sbin/xtables-nft-multi > > It appears that moving the alternative doesn't fix the problem. A > bit confusingly, the command shown, if I run it manually, appears to > work: > > jupiter:~$ sudo virsh net-start default > error: Failed to start network default > error: internal error: Failed to apply firewall rules /usr/sbin/iptables > -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' > is incompatible, use 'nft' tool. > > > > jupiter:~$ sudo /usr/sbin/iptables -w --table filter --list-rules > -P INPUT ACCEPT > -P FORWARD ACCEPT > -P OUTPUT ACCEPT > jupiter:~$ echo $? > 0 > > Though of course, that doesn't get my VMs booted. None of my guest > VMs can start. This is a significant problem for me. > > -- System Information: > Debian Release: 11.1 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, > 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 5.10.0-9-amd64 (SMP w/12 CPU threads) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, > TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE > Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), > LANGUAGE=en_IE:en > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages libvirt-daemon depends on: > ii libblkid1 2.36.1-8 > ii libc6 2.31-13+deb11u2 > ii libdevmapper1.02.1 2:1.02.175-2.1 > ii libgcc-s1 10.2.1-6 > ii libglib2.0-02.66.8-1 > ii libnetcf1 1:0.2.8-1.1 > ii libparted2 3.4-1 > ii libpcap0.8 1.10.0-2 > ii libpciaccess0 0.16-1 > ii libselinux1 3.1-3 > ii libudev1
Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'
Package: libvirt-daemon Version: 7.0.0-3 Followup-For: Bug #994127 I also find (after upgrade from buster to bullseye) that my default network will no longer start: jupiter:~$ sudo virsh net-list --all Name State Autostart Persistent --- defaultinactive yes yes ipv6-net inactive yes yes jupiter:~$ sudo virsh net-info default Name: default UUID: b5472d74-d362-4d85-900c-14959e3dfd35 Active: no Persistent: yes Autostart: yes Bridge: virbr0 jupiter:~$ sudo virsh net-start default error: Failed to start network default error: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool. jupiter:~$ dpkg -l nftables iptables Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==---== ii iptables 1.8.7-1 amd64administration tools for packet filtering and NAT ii nftables 0.9.8-3.1amd64Program to control packet filtering rules by Netfilter project jupiter:~$ readlink -f /usr/sbin/iptables /usr/sbin/xtables-nft-multi jupiter:~$ update-alternatives --display iptables iptables - auto mode link best version is /usr/sbin/iptables-nft link currently points to /usr/sbin/iptables-nft link iptables is /usr/sbin/iptables slave iptables-restore is /usr/sbin/iptables-restore slave iptables-save is /usr/sbin/iptables-save /usr/sbin/iptables-legacy - priority 10 slave iptables-restore: /usr/sbin/iptables-legacy-restore slave iptables-save: /usr/sbin/iptables-legacy-save /usr/sbin/iptables-nft - priority 20 slave iptables-restore: /usr/sbin/iptables-nft-restore slave iptables-save: /usr/sbin/iptables-nft-save jupiter:~$ ls -l /usr/sbin/iptables /etc/alternatives/iptables /usr/sbin/iptables-nft /usr/sbin/xtables-nft-multi lrwxrwxrwx 1 root root 22 Jul 10 2019 /etc/alternatives/iptables -> /usr/sbin/iptables-nft lrwxrwxrwx 1 root root 26 Jul 10 2019 /usr/sbin/iptables -> /etc/alternatives/iptables lrwxrwxrwx 1 root root 17 Jan 17 2021 /usr/sbin/iptables-nft -> xtables-nft-multi -rwxr-xr-x 1 root root 220232 Jan 17 2021 /usr/sbin/xtables-nft-multi It appears that moving the alternative doesn't fix the problem. A bit confusingly, the command shown, if I run it manually, appears to work: jupiter:~$ sudo virsh net-start default error: Failed to start network default error: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool. jupiter:~$ sudo /usr/sbin/iptables -w --table filter --list-rules -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT jupiter:~$ echo $? 0 Though of course, that doesn't get my VMs booted. None of my guest VMs can start. This is a significant problem for me. -- System Information: Debian Release: 11.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-9-amd64 (SMP w/12 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libvirt-daemon depends on: ii libblkid1 2.36.1-8 ii libc6 2.31-13+deb11u2 ii libdevmapper1.02.1 2:1.02.175-2.1 ii libgcc-s1 10.2.1-6 ii libglib2.0-02.66.8-1 ii libnetcf1 1:0.2.8-1.1 ii libparted2 3.4-1 ii libpcap0.8 1.10.0-2 ii libpciaccess0 0.16-1 ii libselinux1 3.1-3 ii libudev1247.3-6 ii libvirt-daemon-driver-qemu 7.0.0-3 ii libvirt07.0.0-3 ii libxml2 2.9.10+dfsg-6.7 Versions of packages libvirt-daemon recommends: ii libvirt-daemon-driver-lxc 7.0.0-3 ii libvirt-daemon-driver-vbox 7.0.0-3 ii libvirt-daemon-driver-xen 7.0.0-3 ii libxml2-utils 2.9.10+dfsg-6.7 ii netcat-openbsd 1.217-3 ii qemu-system-x86 [qemu-kvm] 1:5.2+dfsg-11+deb11u1 Versions of packages libvirt-daemon suggests: pn libvirt-daemon-driver-storage-gluster pn libvirt-daemon-driver-storage-iscsi-direct pn libvirt-daemon-driver-storage-rbd pn libvirt-daemon-driver-storage-zfs ii libvirt-daemon-system
Bug#994127: [Pkg-libvirt-maintainers] Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'
Hello Guido, On Mon, Sep 13, 2021 at 08:32:57AM +0200, Guido Günther wrote: > Do you have nftables installed? > -- Guido > Yes, I do have nftables installed and I also enabled the systemd service. I've also tested nftables with a configuration and it worked without a problem. FYI: With the same setup it worked on Debian Buster. Regards, Benedikt signature.asc Description: PGP signature
Bug#994127: [Pkg-libvirt-maintainers] Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'
Hi, On Sun, Sep 12, 2021 at 01:40:58PM +0200, Benedikt Tuchen wrote: > Package: libvirt-daemon > Version: 7.0.0-3 > Severity: graves > > Dear Maintainer, > > while trying to create a new virtual network on a fresh Debian 11 install I > get > the following error: > > > Traceback (most recent call last): > File "/usr/share/virt-manager/virtManager/asyncjob.py", line 65, in > cb_wrapper > callback(asyncjob, *args, **kwargs) > File "/usr/share/virt-manager/virtManager/createnet.py", line 428, in > _async_net_create > netobj.create() > File "/usr/lib/python3/dist-packages/libvirt.py", line 3436, in create > raise libvirtError('virNetworkCreate() failed') > libvirt.libvirtError: internal error: Failed to apply firewall rules > /usr/sbin/iptables -w --table nat --list-rules: iptables v1.8.7 > (nf_tables): table `nat' is incompatible, use 'nft' tool. Do you have nftables installed? -- Guido > > > I've installed the following packages: > qemu-kvm qemu-system-x86 qemu-utils libvirt-daemon-system virt-manager > virt-viewer > > /usr/sbin/iptables is set in automode to /usr/sbin/iptables-nft via > update-alternatives. > > I've tried to create virtual network with virt-manager. > > When trying to set the rule on commandline it fails with the same error. > > If you need more information feel free to ask. > > Regards, > Benedikt > > -- System Information: > Debian Release: 11.0 > APT prefers stable-security > APT policy: (500, 'stable-security'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not > set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages libvirt-daemon depends on: > ii libblkid1 2.36.1-8 > ii libc6 2.31-13 > ii libdevmapper1.02.1 2:1.02.175-2.1 > ii libgcc-s1 10.2.1-6 > ii libglib2.0-02.66.8-1 > ii libnetcf1 1:0.2.8-1.1 > ii libparted2 3.4-1 > ii libpcap0.8 1.10.0-2 > ii libpciaccess0 0.16-1 > ii libselinux1 3.1-3 > ii libudev1247.3-6 > ii libvirt-daemon-driver-qemu 7.0.0-3 > ii libvirt07.0.0-3 > ii libxml2 2.9.10+dfsg-6.7 > > Versions of packages libvirt-daemon recommends: > ii libvirt-daemon-driver-lxc 7.0.0-3 > ii libvirt-daemon-driver-vbox 7.0.0-3 > ii libvirt-daemon-driver-xen 7.0.0-3 > ii libxml2-utils 2.9.10+dfsg-6.7 > ii netcat-openbsd 1.217-3 > ii qemu-system-x86 [qemu-kvm] 1:5.2+dfsg-11 > > Versions of packages libvirt-daemon suggests: > pn libvirt-daemon-driver-storage-gluster > pn libvirt-daemon-driver-storage-iscsi-direct > pn libvirt-daemon-driver-storage-rbd > pn libvirt-daemon-driver-storage-zfs > ii libvirt-daemon-system 7.0.0-3 > pn numad > > -- no debconf information > ___ > Pkg-libvirt-maintainers mailing list > pkg-libvirt-maintain...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers
Bug#994127: libvirt-daemon: Error creating virtual network - iptables (nf_tables) table `nat' is incompatible, use 'nft'
Package: libvirt-daemon Version: 7.0.0-3 Severity: graves Dear Maintainer, while trying to create a new virtual network on a fresh Debian 11 install I get the following error: Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 65, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/createnet.py", line 428, in _async_net_create netobj.create() File "/usr/lib/python3/dist-packages/libvirt.py", line 3436, in create raise libvirtError('virNetworkCreate() failed') libvirt.libvirtError: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table nat --list-rules: iptables v1.8.7 (nf_tables): table `nat' is incompatible, use 'nft' tool. I've installed the following packages: qemu-kvm qemu-system-x86 qemu-utils libvirt-daemon-system virt-manager virt-viewer /usr/sbin/iptables is set in automode to /usr/sbin/iptables-nft via update-alternatives. I've tried to create virtual network with virt-manager. When trying to set the rule on commandline it fails with the same error. If you need more information feel free to ask. Regards, Benedikt -- System Information: Debian Release: 11.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libvirt-daemon depends on: ii libblkid1 2.36.1-8 ii libc6 2.31-13 ii libdevmapper1.02.1 2:1.02.175-2.1 ii libgcc-s1 10.2.1-6 ii libglib2.0-02.66.8-1 ii libnetcf1 1:0.2.8-1.1 ii libparted2 3.4-1 ii libpcap0.8 1.10.0-2 ii libpciaccess0 0.16-1 ii libselinux1 3.1-3 ii libudev1247.3-6 ii libvirt-daemon-driver-qemu 7.0.0-3 ii libvirt07.0.0-3 ii libxml2 2.9.10+dfsg-6.7 Versions of packages libvirt-daemon recommends: ii libvirt-daemon-driver-lxc 7.0.0-3 ii libvirt-daemon-driver-vbox 7.0.0-3 ii libvirt-daemon-driver-xen 7.0.0-3 ii libxml2-utils 2.9.10+dfsg-6.7 ii netcat-openbsd 1.217-3 ii qemu-system-x86 [qemu-kvm] 1:5.2+dfsg-11 Versions of packages libvirt-daemon suggests: pn libvirt-daemon-driver-storage-gluster pn libvirt-daemon-driver-storage-iscsi-direct pn libvirt-daemon-driver-storage-rbd pn libvirt-daemon-driver-storage-zfs ii libvirt-daemon-system 7.0.0-3 pn numad -- no debconf information signature.asc Description: PGP signature