Adding an nftables backend in addition to iptables?

Daniel P. Berrangé berrange at redhat.com
Mon Nov 30 13:08:39 UTC 2020 

On Sat, Nov 28, 2020 at 04:39:26PM +0100, Aljoscha Lautenbach wrote:
> Hi!
> 
> First of all, thanks for your work on libvirt, it is highly appreciated!
> 
> When I wanted to create a new VM using virt-manager on my Debian
> Testing machine yesterday, I ran into the following problem:
> 
> ~# virsh net-list --all
>  Name      State      Autostart   Persistent
> ----------------------------------------------
>  default   inactive   yes         yes
> 
> ~# virsh net-start default
> error: Failed to start network default
> error: internal error: Failed to apply firewall rules
> /usr/sbin/iptables --table filter --list-rules: iptables v1.8.6
> (nf_tables): table `filter' is incompatible, use 'nft' tool.
> 
> It turns out the Debian package for iptables includes two versions of
> iptables: iptables-nft and iptables-legacy. It looks like iptables-nft
> has been the default in Debian for a while, which led to the error
> above.

This doesn't make much sense. The whole point of iptables-nft is that
apps can continue using the (fake) iptables userspace tools and they
magically turn into NFT rules at the kernel level.

IOW, libvirt should "just work" with both  iptables-legacy and
iptables-nft - that's certainly the case on Fedora/RHEL, so I
wonder what's broken on Debian to cause this error message.

> After setting iptables-legacy to be the default and restarting the
> libvirtd service, everything worked as expected.
> 
> But it did make me wonder, are there any plans to add a backend for nftables?

Regardless of whether iptables-nft works or not, at some point it would
be nice to directly use the "nft" tool for creating rules. We don't have
anyone with active plans to work on this, so there's no ETA though.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list