Skip to main content
Topic solved
This topic has been marked as solved and requires no further attention.
Topic: libvirt breaking nftables (iptables-nft) (Read 637 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

libvirt breaking nftables (iptables-nft)

libvirt works well enough that virtual machines do networking just fine without nftables (everything works without a firewall, shocking right?), however trying to start nftables after libvirt adds its rules results in a whole load of this:

Code: [Select]
$ sudo rc-service nftables start
 * Loading nftables state and starting firewall ...
/var/lib/nftables/rules-save:59:46-63: Error: unsupported xtables compat expression, use iptables-nft with this ruleset
                iifname "virbr0" counter packets 0 bytes 0 xt target "REJECT"
                                                           ^^^^^^^^^^^^^^^^^^
/var/lib/nftables/rules-save:70:46-65: Error: unsupported xtables compat expression, use iptables-nft with this ruleset
                oifname "virbr0" ip daddr 192.168.122.0/24 xt match "conntrack" counter packets 0 bytes 0 accept
                                                           ^^^^^^^^^^^^^^^^^^^^
/var/lib/nftables/rules-save:71:46-63: Error: unsupported xtables compat expression, use iptables-nft with this ruleset
                oifname "virbr0" counter packets 0 bytes 0 xt target "REJECT"
                                                           ^^^^^^^^^^^^^^^^^^
/var/lib/nftables/rules-save:82:99-120: Error: unsupported xtables compat expression, use iptables-nft with this ruleset
                meta l4proto 6 ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 xt target "MASQUERADE"
                                                                                                                ^^^^^^^^^^^^^^^^^^^^^^
/var/lib/nftables/rules-save:83:100-121: Error: unsupported xtables compat expression, use iptables-nft with this ruleset
                meta l4proto 17 ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 xt target "MASQUERADE"
                                                                                                                 ^^^^^^^^^^^^^^^^^^^^^^
/var/lib/nftables/rules-save:84:84-105: Error: unsupported xtables compat expression, use iptables-nft with this ruleset
                ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 xt target "MASQUERADE"
                                                                                                 ^^^^^^^^^^^^^^^^^^^^^^
/var/lib/nftables/rules-save:94:59-78: Error: unsupported xtables compat expression, use iptables-nft with this ruleset
                oifname "virbr0" udp dport 68 counter packets 0 bytes 0 xt target "CHECKSUM"
                                                                        ^^^^^^^^^^^^^^^^^^^^                                                                                             [ !! ]
 * ERROR: nftables failed to start

Admittedly, I set up libvirt first and then migrated to nftables by using the iptables-nft and nftables-openrc packages, but I doubt that caused any actual issues.

So, how do I force libvirt to "use iptables-nft", or otherwise make both work on the same system?

Re: libvirt breaking nftables (iptables-nft)

Reply #1
I worked around the issue by making a new br0 bridge independently from libvirt, and configuring the used virtual machine to use this bridge rather than letting libvirt create rules automatically.

Re: libvirt breaking nftables (iptables-nft)

Reply #2
Thanks for updating the post with your solution.

These days I always have br0 set up so if and when I want to create and use vm's it's ready and waiting.