Kernel 6.17 and libvirt networking

[NathanZachary]

After updating to the 6.17.x kernels, I found that I wasn't able to start my Qemu/KVM VMs via virt-manager due to the following error:

Code: Select all

Error starting domain: Requested operation is not valid: network 'default' is not active

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 67, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
    ~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 101, in tmpcb
    callback(*args, **kwargs)
    ~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/object/domain.py", line 1446, in startup
    self._backend.create()
    ~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3.13/site-packages/libvirt.py", line 1390, in create
    raise libvirtError('virDomainCreate() failed')
libvirt.libvirtError: Requested operation is not valid: network 'default' is not active

Having run across this problem before, I attempted to start the 'default' network:

Code: Select all

# virsh net-list --all
 Name      State      Autostart   Persistent
----------------------------------------------
 default   inactive   yes         yes

# virsh net-start default
error: Failed to start network default
error: internal error: Failed to run firewall command iptables -w --table filter --list-rules: modprobe: FATAL: Module ip_tables not found in directory /lib/modules/6.17.2-gentoo
iptables v1.8.11 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Looking a bit further into the problem, I realised that it's due to the 6.17 kernels defaulting 'NETFILTER_XTABLES_LEGACY' to 'n' instead of 'y'. I figured it would be a good time to make the switch from iptables to nftables anyway, so I configured my kernel with the needed options:
https://wiki.gentoo.org/wiki/Nftables

and emerged net-firewall/nftables.

Now that everything is working again, I realised that I can't remove net-firewall/iptables due to both libvirt and iproute2 requiring the package.

1) I think it would be helpful to notify users of this kernel configuration defaults change (especially for those who use `make olddefconfig` when updating).
2) Is the net-firewall/iptables package still required for libvirt? It looks like it defaults to nftables if available:

Code: Select all

$ grep -A3 'If firewall_backend' /etc/libvirt/network.conf 
#   If firewall_backend isn't configured, libvirt will choose the
#   first available backend from the following list:
#
#     [nftables, iptables]

[grknight]

See also Kernel 6.17 - options not found for IP_NF and IP6_NF for related content

[MorgothSauron]

I had the same problem last week

I first enabled NETFILTER_XTABLES_LEGACY, but that wasn't enough.

I had to change the config for iptables

Code: Select all

root@morgoth:~ # eselect iptables list                                                                                                                                                
Available iptables symlink targets:
  [1]   xtables-legacy-multi
  [2]   xtables-nft-multi *
root@morgoth:~ # 

I didn't have the second option at first. I had to add the nftables USE to iptables (net-firewall/iptables nftables).

That was enough to start the default network again.

Finally, there were other kernel options reported as missing by a recent update to libvirt. See this post:
Kernel 6.17 - options not found for IP_NF and IP6_NF for related content

[NathanZachary]

I was able to get the network to start without adding the 'nftables' USE flag to net-firewall/iptables. Without that USE flag, though, there is only 'xtables-legacy-multi' and not 'xtables-nft-multi' under `eselect iptables list`. It didn't matter for my particular case, but it has me wondering what the point is of switching to nftables if net-firewall/iptables is still required?