jlutran commented 2 years ago

Required information

Distribution: Debian
Distribution version: 11.5

snap list:

Name    Version      Rev    Tracking       Publisher    Notes
core    16-2.57.2    13890  latest/stable  canonical**  core
core20  20220826     1626   latest/stable  canonical**  base
lxd     5.6-794016a  23686  latest/stable  canonical**  -

lxc info:

config:
core.https_address: '[::]:8443'
core.trust_password: true
images.auto_update_interval: "0"
api_extensions:
- storage_zfs_remove_snapshots
- container_host_shutdown_timeout
- container_stop_priority
- container_syscall_filtering
- auth_pki
- container_last_used_at
- etag
- patch
- usb_devices
- https_allowed_credentials
- image_compression_algorithm
- directory_manipulation
- container_cpu_time
- storage_zfs_use_refquota
- storage_lvm_mount_options
- network
- profile_usedby
- container_push
- container_exec_recording
- certificate_update
- container_exec_signal_handling
- gpu_devices
- container_image_properties
- migration_progress
- id_map
- network_firewall_filtering
- network_routes
- storage
- file_delete
- file_append
- network_dhcp_expiry
- storage_lvm_vg_rename
- storage_lvm_thinpool_rename
- network_vlan
- image_create_aliases
- container_stateless_copy
- container_only_migration
- storage_zfs_clone_copy
- unix_device_rename
- storage_lvm_use_thinpool
- storage_rsync_bwlimit
- network_vxlan_interface
- storage_btrfs_mount_options
- entity_description
- image_force_refresh
- storage_lvm_lv_resizing
- id_map_base
- file_symlinks
- container_push_target
- network_vlan_physical
- storage_images_delete
- container_edit_metadata
- container_snapshot_stateful_migration
- storage_driver_ceph
- storage_ceph_user_name
- resource_limits
- storage_volatile_initial_source
- storage_ceph_force_osd_reuse
- storage_block_filesystem_btrfs
- resources
- kernel_limits
- storage_api_volume_rename
- macaroon_authentication
- network_sriov
- console
- restrict_devlxd
- migration_pre_copy
- infiniband
- maas_network
- devlxd_events
- proxy
- network_dhcp_gateway
- file_get_symlink
- network_leases
- unix_device_hotplug
- storage_api_local_volume_handling
- operation_description
- clustering
- event_lifecycle
- storage_api_remote_volume_handling
- nvidia_runtime
- container_mount_propagation
- container_backup
- devlxd_images
- container_local_cross_pool_handling
- proxy_unix
- proxy_udp
- clustering_join
- proxy_tcp_udp_multi_port_handling
- network_state
- proxy_unix_dac_properties
- container_protection_delete
- unix_priv_drop
- pprof_http
- proxy_haproxy_protocol
- network_hwaddr
- proxy_nat
- network_nat_order
- container_full
- candid_authentication
- backup_compression
- candid_config
- nvidia_runtime_config
- storage_api_volume_snapshots
- storage_unmapped
- projects
- candid_config_key
- network_vxlan_ttl
- container_incremental_copy
- usb_optional_vendorid
- snapshot_scheduling
- snapshot_schedule_aliases
- container_copy_project
- clustering_server_address
- clustering_image_replication
- container_protection_shift
- snapshot_expiry
- container_backup_override_pool
- snapshot_expiry_creation
- network_leases_location
- resources_cpu_socket
- resources_gpu
- resources_numa
- kernel_features
- id_map_current
- event_location
- storage_api_remote_volume_snapshots
- network_nat_address
- container_nic_routes
- rbac
- cluster_internal_copy
- seccomp_notify
- lxc_features
- container_nic_ipvlan
- network_vlan_sriov
- storage_cephfs
- container_nic_ipfilter
- resources_v2
- container_exec_user_group_cwd
- container_syscall_intercept
- container_disk_shift
- storage_shifted
- resources_infiniband
- daemon_storage
- instances
- image_types
- resources_disk_sata
- clustering_roles
- images_expiry
- resources_network_firmware
- backup_compression_algorithm
- ceph_data_pool_name
- container_syscall_intercept_mount
- compression_squashfs
- container_raw_mount
- container_nic_routed
- container_syscall_intercept_mount_fuse
- container_disk_ceph
- virtual-machines
- image_profiles
- clustering_architecture
- resources_disk_id
- storage_lvm_stripes
- vm_boot_priority
- unix_hotplug_devices
- api_filtering
- instance_nic_network
- clustering_sizing
- firewall_driver
- projects_limits
- container_syscall_intercept_hugetlbfs
- limits_hugepages
- container_nic_routed_gateway
- projects_restrictions
- custom_volume_snapshot_expiry
- volume_snapshot_scheduling
- trust_ca_certificates
- snapshot_disk_usage
- clustering_edit_roles
- container_nic_routed_host_address
- container_nic_ipvlan_gateway
- resources_usb_pci
- resources_cpu_threads_numa
- resources_cpu_core_die
- api_os
- container_nic_routed_host_table
- container_nic_ipvlan_host_table
- container_nic_ipvlan_mode
- resources_system
- images_push_relay
- network_dns_search
- container_nic_routed_limits
- instance_nic_bridged_vlan
- network_state_bond_bridge
- usedby_consistency
- custom_block_volumes
- clustering_failure_domains
- resources_gpu_mdev
- console_vga_type
- projects_limits_disk
- network_type_macvlan
- network_type_sriov
- container_syscall_intercept_bpf_devices
- network_type_ovn
- projects_networks
- projects_networks_restricted_uplinks
- custom_volume_backup
- backup_override_name
- storage_rsync_compression
- network_type_physical
- network_ovn_external_subnets
- network_ovn_nat
- network_ovn_external_routes_remove
- tpm_device_type
- storage_zfs_clone_copy_rebase
- gpu_mdev
- resources_pci_iommu
- resources_network_usb
- resources_disk_address
- network_physical_ovn_ingress_mode
- network_ovn_dhcp
- network_physical_routes_anycast
- projects_limits_instances
- network_state_vlan
- instance_nic_bridged_port_isolation
- instance_bulk_state_change
- network_gvrp
- instance_pool_move
- gpu_sriov
- pci_device_type
- storage_volume_state
- network_acl
- migration_stateful
- disk_state_quota
- storage_ceph_features
- projects_compression
- projects_images_remote_cache_expiry
- certificate_project
- network_ovn_acl
- projects_images_auto_update
- projects_restricted_cluster_target
- images_default_architecture
- network_ovn_acl_defaults
- gpu_mig
- project_usage
- network_bridge_acl
- warnings
- projects_restricted_backups_and_snapshots
- clustering_join_token
- clustering_description
- server_trusted_proxy
- clustering_update_cert
- storage_api_project
- server_instance_driver_operational
- server_supported_storage_drivers
- event_lifecycle_requestor_address
- resources_gpu_usb
- clustering_evacuation
- network_ovn_nat_address
- network_bgp
- network_forward
- custom_volume_refresh
- network_counters_errors_dropped
- metrics
- image_source_project
- clustering_config
- network_peer
- linux_sysctl
- network_dns
- ovn_nic_acceleration
- certificate_self_renewal
- instance_project_move
- storage_volume_project_move
- cloud_init
- network_dns_nat
- database_leader
- instance_all_projects
- clustering_groups
- ceph_rbd_du
- instance_get_full
- qemu_metrics
- gpu_mig_uuid
- event_project
- clustering_evacuation_live
- instance_allow_inconsistent_copy
- network_state_ovn
- storage_volume_api_filtering
- image_restrictions
- storage_zfs_export
- network_dns_records
- storage_zfs_reserve_space
- network_acl_log
- storage_zfs_blocksize
- metrics_cpu_seconds
- instance_snapshot_never
- certificate_token
- instance_nic_routed_neighbor_probe
- event_hub
- agent_nic_config
- projects_restricted_intercept
- metrics_authentication
- images_target_project
- cluster_migration_inconsistent_copy
- cluster_ovn_chassis
- container_syscall_intercept_sched_setscheduler
- storage_lvm_thinpool_metadata_size
- storage_volume_state_total
- instance_file_head
- instances_nic_host_name
- image_copy_profile
- container_syscall_intercept_sysinfo
- clustering_evacuation_mode
- resources_pci_vpd
- qemu_raw_conf
- storage_cephfs_fscache
- network_load_balancer
- vsock_api
- instance_ready_state
- network_bgp_holdtime
- storage_volumes_all_projects
- metrics_memory_oom_total
- storage_buckets
- storage_buckets_create_credentials
- metrics_cpu_effective_total
- projects_networks_restricted_access
- storage_buckets_local
- loki
api_status: stable
api_version: "1.0"
auth: trusted
public: false
auth_methods:
- tls
environment:
addresses:
- 192.168.1.26:8443
- '[2a01:cb08:8809:3000:250:43ff:fe03:102]:8443'
architectures:
- armv7l
- armv6l
certificate: |
-----BEGIN CERTIFICATE-----
MIICAzCCAYmgAwIBAgIQCiH2e6wmvKmiUbCxYDZ7gDAKBggqhkjOPQQDAzA0MRww
GgYDVQQKExNsaW51eGNvbnRhaW5lcnMub3JnMRQwEgYDVQQDDAtyb290QGRlYmlh
bjAeFw0yMjEwMTIxNTQzNDBaFw0zMjEwMDkxNTQzNDBaMDQxHDAaBgNVBAoTE2xp
bnV4Y29udGFpbmVycy5vcmcxFDASBgNVBAMMC3Jvb3RAZGViaWFuMHYwEAYHKoZI
zj0CAQYFK4EEACIDYgAEcCsGe9sqDK6oZj6s5iQ0Ygdnya+9g/fffn7ubS9pT0t8
PHKbv7j59JKXsBlcluPaBd6xzFqV/alfNIMKkpGgfeZBQhFPt6YcC67zLLMg7VLA
YBbBuukhvgXHTqhJQn9ro2AwXjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYI
KwYBBQUHAwEwDAYDVR0TAQH/BAIwADApBgNVHREEIjAgggZkZWJpYW6HBH8AAAGH
EAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwMDaAAwZQIxAOu2hZKlGX/fcdzd
KkBjx/YNf/5Tcy1LvmbOSgnwAbNql5y6QUyXBZFoDPSHjvG19QIwQnmdh7K2uuRt
CRji63xgQCOWyvppwPK0kFNJ5mDsJw7ua53so2rOIUoAJpFV7sId
-----END CERTIFICATE-----
certificate_fingerprint: b2f8511a9922b8e4ff829570ffd54e0f047edceb21040463359bc27b528162dd
driver: lxc
driver_version: 5.0.1
firewall: nftables
kernel: Linux
kernel_architecture: armv7l
kernel_features:
idmapped_mounts: "true"
netnsid_getifaddrs: "true"
seccomp_listener: "true"
seccomp_listener_continue: "true"
shiftfs: "false"
uevent_injection: "true"
unpriv_fscaps: "true"
kernel_version: 5.15.74-armada375
lxc_features:
cgroup2: "true"
core_scheduling: "true"
devpts_fd: "true"
idmapped_mounts_v2: "true"
mount_injection_file: "true"
network_gateway_device_route: "true"
network_ipvlan: "true"
network_l2proxy: "true"
network_phys_macvlan_mtu: "true"
network_veth_router: "true"
pidfd: "true"
seccomp_allow_deny_syntax: "true"
seccomp_notify: "true"
seccomp_proxy_send_notify_fd: "true"
os_name: Debian GNU/Linux
os_version: "11"
project: default
server: lxd
server_clustered: false
server_event_mode: full-mesh
server_name: debian
server_pid: 1396
server_version: "5.6"
storage: dir
storage_version: "1"
storage_supported_drivers:
- name: dir
version: "1"
remote: false
- name: lvm
version: 2.03.07(2) (2019-11-30) / 1.02.167 (2019-11-30) / 4.45.0
remote: false
- name: btrfs
version: 5.4.1
remote: false
- name: ceph
version: 15.2.16
remote: true
- name: cephfs
version: 15.2.16
remote: true
- name: cephobject
version: 15.2.16
remote: true

Issue description

Lxc bridged network creation is crashing during outbound NAT rules setup

Steps to reproduce

snap stop lxd.daemon
lxd --debug --group lxd
lxc network create lxdbr0 --type=bridge --debug

Information to attach

[X] Any relevant kernel output (dmesg)

bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.

[X] Output of the client with --debug

[...]
DEBUG  [2022-10-21T09:38:55+02:00] Sending request to LXD                        etag= method=POST url="http://unix.socket/1.0/networks"
DEBUG  [2022-10-21T09:38:55+02:00]
    {
        "config": {},
        "description": "",
        "name": "lxdbr0",
        "type": "bridge"
    }
Error: Failed to setup firewall: Failed adding outbound NAT rules for network "lxdbr0" (inet): Failed apply nftables config: Failed to run: nft -f -: exit status 1 (/dev/stdin:3:7-18: Error: Could not process rule: Operation not supported
chain pstrt.lxdbr0 {
      ^^^^^^^^^^^^
/dev/stdin:3:7-18: Error: Could not process rule: No such file or directory
chain pstrt.lxdbr0 {
      ^^^^^^^^^^^^
/dev/stdin:3:7-18: Error: Could not process rule: No such file or directory
chain pstrt.lxdbr0 {
      ^^^^^^^^^^^^)

[X] Output of the daemon with --debug

INFO   [2022-10-21T09:37:33+02:00] LXD is starting                               mode=normal path=/var/snap/lxd/common/lxd version=5.6
INFO   [2022-10-21T09:37:33+02:00] Kernel uid/gid map:
INFO   [2022-10-21T09:37:33+02:00]  - u 0 0 4294967295
INFO   [2022-10-21T09:37:33+02:00]  - g 0 0 4294967295
INFO   [2022-10-21T09:37:33+02:00] Configured LXD uid/gid map:
INFO   [2022-10-21T09:37:33+02:00]  - u 0 1000000 1000000000
INFO   [2022-10-21T09:37:33+02:00]  - g 0 1000000 1000000000
WARNING[2022-10-21T09:37:33+02:00] AppArmor support has been disabled because of lack of kernel support
INFO   [2022-10-21T09:37:33+02:00] Kernel features:
INFO   [2022-10-21T09:37:33+02:00]  - closing multiple file descriptors efficiently: yes
INFO   [2022-10-21T09:37:33+02:00]  - netnsid-based network retrieval: yes
INFO   [2022-10-21T09:37:33+02:00]  - pidfds: yes
INFO   [2022-10-21T09:37:33+02:00]  - core scheduling: no
INFO   [2022-10-21T09:37:33+02:00]  - uevent injection: yes
INFO   [2022-10-21T09:37:33+02:00]  - seccomp listener: yes
INFO   [2022-10-21T09:37:33+02:00]  - seccomp listener continue syscalls: yes
INFO   [2022-10-21T09:37:33+02:00]  - seccomp listener add file descriptors: yes
INFO   [2022-10-21T09:37:33+02:00]  - attach to namespaces via pidfds: yes
INFO   [2022-10-21T09:37:33+02:00]  - safe native terminal allocation : yes
INFO   [2022-10-21T09:37:33+02:00]  - unprivileged file capabilities: yes
INFO   [2022-10-21T09:37:33+02:00]  - cgroup layout: cgroup2
WARNING[2022-10-21T09:37:33+02:00]  - AppArmor support has been disabled, Disabled because of lack of kernel support
WARNING[2022-10-21T09:37:33+02:00]  - Couldn't find the CGroup hugetlb controller, hugepage limits will be ignored
WARNING[2022-10-21T09:37:33+02:00]  - Couldn't find the CGroup network priority controller, network priority will be ignored
INFO   [2022-10-21T09:37:33+02:00]  - shiftfs support: no
INFO   [2022-10-21T09:37:33+02:00]  - idmapped mounts kernel support: yes
WARNING[2022-10-21T09:37:33+02:00] Instance type not operational                 driver=qemu err="KVM support is missing (no /dev/kvm)" type=virtual-machine
INFO   [2022-10-21T09:37:33+02:00] Initializing local database
DEBUG  [2022-10-21T09:37:33+02:00] Refreshing local trusted certificate cache
INFO   [2022-10-21T09:37:33+02:00] Set client certificate to server certificate  fingerprint=b2f8511a9922b8e4ff829570ffd54e0f047edceb21040463359bc27b528162dd
DEBUG  [2022-10-21T09:37:33+02:00] Initializing database gateway
INFO   [2022-10-21T09:37:33+02:00] Starting database node                        id=1 local=1 role=voter
INFO   [2022-10-21T09:37:38+02:00] Loading daemon configuration
INFO   [2022-10-21T09:37:38+02:00] Binding socket                                socket=/var/snap/lxd/common/lxd/devlxd/sock type="devlxd socket"
INFO   [2022-10-21T09:37:38+02:00] Binding socket                                socket=/var/snap/lxd/common/lxd/unix.socket type="REST API Unix socket"
INFO   [2022-10-21T09:37:38+02:00] Binding socket                                socket="[::]:8443" type="REST API TCP socket"
INFO   [2022-10-21T09:37:38+02:00] Initializing global database
INFO   [2022-10-21T09:37:38+02:00] Connecting to global database
DEBUG  [2022-10-21T09:37:38+02:00] Dqlite: attempt 1: server 1: connected
INFO   [2022-10-21T09:37:38+02:00] Connected to global database
INFO   [2022-10-21T09:37:38+02:00] Initialized global database
DEBUG  [2022-10-21T09:37:38+02:00] Firewall detected "xtables" incompatibility: Backend command "ebtables" is an nftables shim
INFO   [2022-10-21T09:37:38+02:00] Firewall loaded driver                        driver=nftables
INFO   [2022-10-21T09:37:38+02:00] Initializing storage pools
DEBUG  [2022-10-21T09:37:38+02:00] Initializing storage pool                     pool=data
DEBUG  [2022-10-21T09:37:38+02:00] Mount started                                 driver=dir pool=data
DEBUG  [2022-10-21T09:37:38+02:00] Mount finished                                driver=dir pool=data
INFO   [2022-10-21T09:37:38+02:00] Initialized storage pool                      pool=data
INFO   [2022-10-21T09:37:38+02:00] All storage pools initialized
INFO   [2022-10-21T09:37:38+02:00] Initializing daemon storage mounts
INFO   [2022-10-21T09:37:38+02:00] Initializing networks
INFO   [2022-10-21T09:37:38+02:00] All networks initialized
[...]
DEBUG  [2022-10-21T09:38:55+02:00] Handling API request                          ip=@ method=POST protocol=unix url=/1.0/networks username=root
DEBUG  [2022-10-21T09:38:55+02:00] API Request
{
    "config": {},
    "description": "",
    "name": "lxdbr0",
    "type": "bridge"
}  ip=@ method=POST protocol=unix url=/1.0/networks username=root
DEBUG  [2022-10-21T09:38:58+02:00] Create                                        clientType=normal config="map[ipv4.address:10.69.192.1/24 ipv4.nat:true ipv6.address:fd42:9c7f:1d79:6ac2::1/64 ipv6.nat:true]" driver=bridge network=lxdbr0 project=default
DEBUG  [2022-10-21T09:38:58+02:00] Start                                         driver=bridge network=lxdbr0 project=default
DEBUG  [2022-10-21T09:38:58+02:00] Setting up network                            driver=bridge network=lxdbr0 project=default
DEBUG  [2022-10-21T09:38:58+02:00] Stable MAC generated                          driver=bridge hwAddr="00:16:3e:82:e3:9d" network=lxdbr0 project=default seed=b2f8511a9922b8e4ff829570ffd54e0f047edceb21040463359bc27b528162dd.0.21
DEBUG  [2022-10-21T09:38:58+02:00] Clearing firewall                             driver=bridge network=lxdbr0 project=default
DEBUG  [2022-10-21T09:38:58+02:00] Setting up firewall                           driver=bridge network=lxdbr0 project=default
DEBUG  [2022-10-21T09:38:58+02:00] Delete                                        clientType=normal driver=bridge network=lxdbr0 project=default
DEBUG  [2022-10-21T09:38:59+02:00] Error Response
{
    "type": "error",
    "status": "",
    "status_code": 0,
    "operation": "",
    "error_code": 500,
    "error": "Failed to setup firewall: Failed adding outbound NAT rules for network \"lxdbr0\" (inet): Failed apply nftables config: Failed to run: nft -f -: exit status 1 (/dev/stdin:3:7-18: Error: Could not process rule: Operation not supported\nchain pstrt.lxdbr0 {\n      ^^^^^^^^^^^^\n/dev/stdin:3:7-18: Error: Could not process rule: No such file or directory\nchain pstrt.lxdbr0 {\n      ^^^^^^^^^^^^\n/dev/stdin:3:7-18: Error: Could not process rule: No such file or directory\nchain pstrt.lxdbr0 {\n      ^^^^^^^^^^^^)",
    "metadata": null
}  http_code=500

tomponline commented 2 years ago

This is most likely a missing kernel module for nftables. Probably related to nat given the error message.

What does lsmod show?

jlutran commented 2 years ago

lsmod:

Module                  Size  Used by
bridge                212992  0
stp                    16384  1 bridge
llc                    16384  2 bridge,stp
dm_mod                 98304  0
ebtable_filter         16384  0
ebtables               28672  1 ebtable_filter
ip6table_raw           16384  0
ip6table_mangle        16384  0
ip6table_nat           16384  0
ip6table_filter        16384  0
iptable_raw            16384  0
iptable_mangle         16384  0
iptable_nat            16384  0
nf_nat                 32768  2 iptable_nat,ip6table_nat
nf_conntrack           81920  1 nf_nat
nf_defrag_ipv6         20480  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
iptable_filter         16384  0
nf_tables             180224  0
nfnetlink              16384  1 nf_tables
configfs               32768  1
ip_tables              24576  4 iptable_mangle,iptable_filter,iptable_raw,iptable_nat

tomponline commented 2 years ago

Do you have ipv6 disabled in your system?

jlutran commented 2 years ago

I don't think so:

root@debian:~# cat /sys/module/ipv6/parameters/disable
0
root@debian:~# ip -6 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 2048
    inet6 2a01:cb08:8809:3000:250:43ff:fe03:102/64 scope global dynamic mngtmpaddr
       valid_lft 86353sec preferred_lft 553sec
    inet6 fe80::250:43ff:fe03:102/64 scope link
       valid_lft forever preferred_lft forever

tomponline commented 2 years ago

OK so that maybe the issue then, you're missing a few ipv6 netfilter modules:

For comparison on my system:

lsmod | grep tables
ebtables               45056  1 ebtable_filter
ip6_tables             32768  4 ip6table_filter,ip6table_raw,ip6table_nat,ip6table_mangle
nf_tables             245760  138 nft_masq,nft_chain_nat
nfnetlink              20480  3 nfnetlink_cttimeout,nf_tables
ip_tables              32768  4 iptable_filter,iptable_raw,iptable_nat,iptable_mangle
x_tables               53248  11 ebtables,ip6table_filter,ip6table_raw,iptable_filter,ip6table_nat,ip6_tables,iptable_raw,ip_tables,iptable_nat,ip6table_mangle,iptable_mangle
libcrc32c              16384  5 nf_conntrack,nf_nat,openvswitch,btrfs,nf_tables

lsmod | grep filter
ebtable_filter         16384  0
ebtables               45056  1 ebtable_filter
ip6table_filter        16384  0
ip6_tables             32768  4 ip6table_filter,ip6table_raw,ip6table_nat,ip6table_mangle
iptable_filter         16384  0
bpfilter               16384  0
ip_tables              32768  4 iptable_filter,iptable_raw,iptable_nat,iptable_mangle
x_tables               53248  11 ebtables,ip6table_filter,ip6table_raw,iptable_filter,ip6table_nat,ip6_tables,iptable_raw,ip_tables,iptable_nat,ip6table_mangle,iptable_mangle

jlutran commented 2 years ago

You're right, seems like I missed some kernel modules ! I just ran a new build with this diff:

-# CONFIG_NF_TABLES_INET is not set
+CONFIG_NF_TABLES_INET=y
+CONFIG_NFT_NAT=m
+CONFIG_NFT_REJECT_INET=m
+CONFIG_NFT_FIB=m
-CONFIG_NETFILTER_XTABLES=y
+CONFIG_NETFILTER_XTABLES=m
-# CONFIG_NF_TABLES_IPV4 is not set
+CONFIG_NF_TABLES_IPV4=y
+CONFIG_NFT_REJECT_IPV4=m
+# CONFIG_NFT_DUP_IPV4 is not set
+# CONFIG_NFT_FIB_IPV4 is not set
-# CONFIG_NF_TABLES_IPV6 is not set
+CONFIG_NF_TABLES_IPV6=y
+CONFIG_NFT_REJECT_IPV6=m
+CONFIG_NFT_DUP_IPV6=m
+CONFIG_NFT_FIB_IPV6=m

I'll keep you posted in a new hours

jlutran commented 2 years ago

Issue solved, thanks for your quick replies !

tomponline commented 2 years ago

Excellent thanks!

canonical / lxd

Failed adding outbound NAT rules for bridge network #11043

Required information

Issue description

Steps to reproduce

Information to attach