plugins: ERROR: table `nat' is incompatible, use 'nft' tool.
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind feature
Description
I use nftables; when starting a container I get:
ERRO[0000] Error adding network: failed to list chains: running [/usr/sbin/iptables -t nat -S --wait]: exit status 1: iptables v1.8.2 (nf_tables): table `nat' is incompatible, use 'nft' tool.
ERRO[0000] Error while adding pod to CNI network "podman": failed to list chains: running [/usr/sbin/iptables -t nat -S --wait]: exit status 1: iptables v1.8.2 (nf_tables): table `nat' is incompatible, use 'nft' tool.
Error: error configuring network namespace for container 51f6adbaed7d674fb4b48d501eb7ce0605d09e003ac09f6588b98dea7230ca9f: failed to list chains: running [/usr/sbin/iptables -t nat -S --wait]: exit status 1: iptables v1.8.2 (nf_tables): table `nat' is incompatible, use 'nft' tool.
Steps to reproduce the issue:
- Create network configuration:
cat >/etc/cni/net.d/podman.conflist <<EOF
{
"cniVersion": "0.4.0",
"name": "podman",
"plugins": [
{
"type": "bridge",
"bridge": "cni-podman0",
"isGateway": true,
"ipMasq": true,
"ipam": {
"type": "host-local",
"routes": [
{
"dst": "0.0.0.0/0"
}
],
"ranges": [
[
{
"subnet": "192.168.124.0/24",
"gateway": "192.168.124.1"
}
]
]
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
},
{
"type": "firewall",
"backend": "nftables"
}
]
}
EOF
- Pull fedora image and start a container:
podman pull fedora:latest
podman run -it fedora bash
Describe the results you received:
ERRO[0000] Error adding network: failed to list chains: running [/usr/sbin/iptables -t nat -S --wait]: exit status 1: iptables v1.8.2 (nf_tables): table `nat' is incompatible, use 'nft' tool.
ERRO[0000] Error while adding pod to CNI network "podman": failed to list chains: running [/usr/sbin/iptables -t nat -S --wait]: exit status 1: iptables v1.8.2 (nf_tables): table `nat' is incompatible, use 'nft' tool.
Error: error configuring network namespace for container 51f6adbaed7d674fb4b48d501eb7ce0605d09e003ac09f6588b98dea7230ca9f: failed to list chains: running [/usr/sbin/iptables -t nat -S --wait]: exit status 1: iptables v1.8.2 (nf_tables): table `nat' is incompatible, use 'nft' tool.
Describe the results you expected:
No errors.
Additional information you deem important (e.g. issue happens only occasionally):
Output of podman version:
podman version 1.6.4
Output of podman info --debug:
debug:
compiler: gc
git commit: ""
go version: go1.12.12
podman version: 1.6.4
host:
BuildahVersion: 1.12.0-dev
CgroupVersion: v1
Conmon:
package: conmon-2.0.6-1.module+el8.1.1+5259+bcdd613a.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.0.6, commit: 6ffbb2ec70dbe5ba56e4bfde946fb04f19dd8bbf'
Distribution:
distribution: '"rhel"'
version: "8.1"
MemFree: 483997450240
MemTotal: 540217061376
OCIRuntime:
name: runc
package: runc-1.0.0-64.rc9.module+el8.1.1+5259+bcdd613a.x86_64
path: /usr/bin/runc
version: 'runc version spec: 1.0.1-dev'
SwapFree: 10737414144
SwapTotal: 10737414144
arch: amd64
cpus: 64
eventlogger: journald
kernel: 4.18.0-147.5.1.el8_1.x86_64
os: linux
rootless: false
uptime: 662h 43m 16.45s (Approximately 27.58 days)
registries:
blocked: null
insecure: null
search:
- registry.redhat.io
- registry.access.redhat.com
- quay.io
- docker.io
store:
ConfigFile: /etc/containers/storage.conf
ContainerStore:
number: 4
GraphDriverName: overlay
GraphOptions: {}
GraphRoot: /var/lib/containers/storage
GraphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
ImageStore:
number: 2
RunRoot: /var/run/containers/storage
VolumePath: /var/lib/containers/storage/volumes
Package info (e.g. output of rpm -q podman or apt list podman):
podman-1.6.4-2.module+el8.1.1+5363+bf8ff1af.x86_64
Additional environment details (AWS, VirtualBox, physical, etc.):
Physical.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 3
- Comments: 23 (4 by maintainers)
Commits related to this issue
- add nftables firewall backend Resolves: #461 — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- add nftables firewall backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- add nftables firewall backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
- firewall: add nftables backend Resolves: #461 Signed-off-by: Paul Greenberg <greenpau@outlook.com> — committed to greenpau/origin_containernetworking_plugins by greenpau 4 years ago
It seems that
ipMasq==truerequires some iptables actions, but from the outputiptables v1.8.2 (nf_tables), the iptables of your kernel is working with mode nf_tables, as far as I know, the iptables utility package go-iptables which is used by cni-plugins does not support this mode.ping to go-iptables owner @squeed