No network connection on VMs after a system upgrade (F41->F42)

bifutake · June 19, 2025, 1:48pm

Yesterday, I’ve disabled all third-party repositories, uninstalled all extra packages (except the ones which gave me a warning), and performed a system upgrade via Discover from F41 KDE to F42 KDE. All went well, so I re-enabled the repos and installed the packages from them. There were a few hickups along the way (PIA VPN had an issue with iptables which I solved by uninstalling it, deleting all the configuration files, and then performing a clean install), but most of it works fine. With the exception of my virtual machines.

I’m using KVM/QEMU with VMM, and I can no longer establish a network connection in any of my existing VMs, nor can I get it working when I try building a new VM (with the VPN turned off). I tried uninstalling and reinstalling, but maybe I didn’t clean the configs thoroughly. I tried forcing the old backend in /etc/libvirt/network.conf to iptables but that made the KVM/QEMU not able to connect to the VMs. I then reverted to nftables and set it explicitly. I tried modifying my /etc/sysconfig/nftables.conf and making it executable. Nothing worked.

My host has no problems connecting via ethernet.

Does anyone have any suggestions before I resort to a clean OS install?

EDIT - I tried a thorough uninstall and a clean install of the @Virtualization group, flushed the nft ruleset, restarted nftables and libvirtd several times, etc. Still nothing.

If I’m forced to do a clean OS install, I think I may as well switch to a rolling-release distro, probably CachyOS.

bifutake · June 20, 2025, 12:19pm

Found the culprit and the solution. My firewall was borked by the system upgrade, so I had to reset it to its default values, but I also had to change the location for the nftables from /etc/sysconfig/nftables.conf to /etc/nftables.conf.

Couldn’t have done it without AI, which told me:

the file /etc/sysconfig/nftables.conf is the older, legacy-style config location that Fedora used before switching to /etc/nftables.conf (with systemd integration). It may still work, but it’s not guaranteed to be loaded unless explicitly referenced by your systemd unit.

TL;DR:

Fedora 42 expects /etc/nftables.conf, not /etc/sysconfig/nftables.conf.

This is what I had to do:

1. Remove your current rules:

sudo nft flush ruleset

2. Then stop nftables:

sudo systemctl stop nftables

3. Locate the current config file (mine was in /etc/sysconfig/nftables.conf):

locate nftables.conf

4. Flush old rules and disable legacy config:

sudo nft flush ruleset
sudo mv /etc/sysconfig/nftables.conf /etc/sysconfig/nftables.conf.bak

5. Create a clean /etc/nftables.conf (This config accepts all traffic (you can lock it down later) and enables NAT for your VMs via virbr0):

sudo tee /etc/nftables.conf > /dev/null <<'EOF'
#!/usr/sbin/nft -f

table inet filter {
    chain input {
        type filter hook input priority 0;
        policy accept;
    }

    chain forward {
        type filter hook forward priority 0;
        policy accept;
    }

    chain output {
        type filter hook output priority 0;
        policy accept;
    }
}

table ip nat {
    chain postrouting {
        type nat hook postrouting priority 100;
        oifname "virbr0" masquerade
    }
}
EOF

6. Create a systemd override for nftables:

sudo systemctl edit nftables

7. This opens an empty editor. Add the following:

[Service]
ExecStart=
ExecStart=/usr/sbin/nft -f /etc/nftables.conf

8. Reload and restart the service:

sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl restart nftables

9. Then check status:

sudo systemctl status nftables

My VMs now have networking.

My next step is asking AI:

you said my nftables now accept all traffic which i can lock down later. what changes should i make?

vgaetera · June 20, 2025, 1:51pm

This kind of issue generally invovles the following components:

Virtualization
Network and routing
Firewall

Troubleshooting should generally include the following steps:

Check for errors in the relevant logs.
Analyze the relevant persistent and runtime configs.
Rule out possible SELinux issues by using permissive mode.

The second step can be simplified by restoring the defaults:

# Missing and modified files
sudo rpm -V -a | sort -t / -k 2

# Extra files
sudo -i << EOI | sort
grep -v -x -F -f <(rpm -q -a -l) <(find /etc)
EOI

# Service startup
sudo systemctl preset-all

Remove the related modified configs and reinstall the relevant packages.
Note that the nftables service is disabled in F42 by default.

BTW, the AI lied to you, see:

systemctl cat nftables.service
dnf provides \*/nftables.conf

bifutake · June 20, 2025, 5:41pm

Thank you for the reply, Vladislav. It would seem that AI is (at the moment) only useful if you ask the right questions. I didn’t realize nftables don’t have to be used at all, so now I asked how I could revert to an entirely default setup, as if I performed a clean install. These were the instructions I got (btw. they work after a reboot):

On a clean Fedora 42 install, most users are protected not by a custom /etc/nftables.conf ruleset, but by the default firewall service: firewalld, which uses nftables as its backend[1]. If you want to revert to the default firewall behavior as seen on a fresh Fedora system, here’s what you should do:

Steps to Restore Default Firewall Behavior
Remove or Rename Your Custom Ruleset
Delete or move /etc/nftables.conf:
sudo mv /etc/nftables.conf /etc/nftables.conf.backup
Disable the nftables Service
Fedora Workstation uses firewalld by default, not the nftables service directly[1]. So, stop and disable nftables:
sudo systemctl stop nftables
sudo systemctl disable nftables
Enable and Start firewalld
Make sure firewalld is running and enabled:
sudo systemctl enable firewalld
sudo systemctl start firewalld
Check Status
Verify firewalld is active:
sudo firewall-cmd --state
You can also check your current firewall rules with:
sudo firewall-cmd --list-all
What Happens After These Steps?

firewalld will manage your firewall rules using its default zones and policies, which are designed to be secure for home users out-of-the-box[1].

No custom nftables rules will be loaded at boot, and the nftables service will not interfere with firewalld[1].

You’ll have the same firewall protection as a new Fedora 42 installation, unless you further customize firewalld.

Topic		Replies	Views
No apparent network connections after Fedora 42 update Ask Fedora network , kde , f42	5	136	June 20, 2025
Virtual Machine Manager Networking Broke After Update Ask Fedora networkmanager , networking , virtual-machine-manager , f41	4	1236	November 19, 2024
Please help, networking issue after upgrade from F40 to F41 Ask Fedora f41	4	106	February 18, 2025
QEMU/KVM VM Loses Network Access When "Local Network Sharing" is Disabled in Mullvad VPN Ask Fedora libvirt , qemukvm , networking , 3rd-party-software , f41 , mullvadvpn	1	155	March 5, 2025
Wifi/connection problems on fresh fedora 39 kde install Ask Fedora kde , selinux , f39	8	1248	July 24, 2024

No network connection on VMs after a system upgrade (F41->F42)

Steps to Restore Default Firewall Behavior

What Happens After These Steps?

Related topics