search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.1k stars 14.15k forks source link

nftables fails to restart after libvirtd gets started #88643

Open meh opened 4 years ago

meh commented 4 years ago

Describe the bug libvirtd seems to be able to bring up iptables and load the ip_tables module even when it's in the blacklist, this seems to be similar to what was happening in #24318, and the libvirtd module is in fact including pkgs.iptables instead of config.networking.firewall.package which I guess would make it work when using pkgs.iptables-nftables-compat.

To Reproduce Steps to reproduce the behavior:

  1. Enable nftables.
  2. nixos-rebuild switch
  3. Enable libvirtd.
  4. nixos-rebuild switch
  5. BOOM

Expected behavior For libvirtd to use the right firewall package and not load the ip_tables module.

Additional context I've used libvirtd before with iptables-nft on Arch, and it was working properly.

Notify maintainers @globin @fpletz

Metadata

 - system: `"x86_64-linux"`
 - host os: `Linux 5.4.41, NixOS, 20.09pre226148.0f5ce2fac0c (Nightingale)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.4`
 - channels(root): `"nixos-20.09pre226148.0f5ce2fac0c"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module: nixos/modules/virtualisation/libvirtd.nix
meh commented 4 years ago

Wait, I'm a dummy, digged a little deeper and iptables-nftables-compat is just iptables, and it's the same for iptables-nft in Arch, is the issue just the way the check is done in the nftables service?

onny commented 4 years ago

I'm still waiting for this to get merged https://github.com/NixOS/nixpkgs/pull/81172 I guess this will fix nftables+docker for me and might be related to your issue

stale[bot] commented 3 years ago

I marked this as stale due to inactivity. → More info

jess-sch commented 3 years ago

Since iptables and nftables work completely fine together, I'm seriously questioning the value of having the ip_tables check in nixpkgs/nixos/modules/services/networking/nftables.nix at all.

Simply removing the checkScript portion of the service would obviously solve this problem, as well as any future "bad piece of software decided to load ip_tables and now I can't update my firewall" issues.

flokli commented 2 years ago

With the switch to iptables-nft, the nftables NixOS module should probably be revisited. I opened https://github.com/NixOS/nixpkgs/issues/161428 as a proposal.