Comment 0 for bug 1898547

Ubuntu Groovy (20.10)
kernel 5.8.0-20-generic
neutron-linuxbridge-agent: 2:17.0.0~git2020091014.215a541bd4-0ubuntu1
iptables: 1.8.5-3ubuntu1 (nf_tables)
iptables-restore points to xtables-nft-multi

After upgrading iptables from 1.8.4 to 1.8.5 and rebooting the neutron network node, neutron-linuxbridge-agent didn't properly start anymore.
The log file shows many errors like:

2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent ; Stdout: ; Stderr: iptables-restore: line 29 failed

Downgrading iptables to 1.8.4 solves the problem.

Trying to do what the linuxbridge agent does:
2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent *filter
2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent :FORWARD - [0:0]

shows that

iptables-restore <<EOF
*filter
:INPUT - [0:0]
COMMIT
EOF

works fine with iptables 1.8.4 but fails with 1.8.5

Workaround

It seems neutron-linuxbridge agent tries to create the default chains (like INPUT) with a "-" as policy. By making sure the chains already exist (and are shown with iptables-save) the agent doesn't try to create those default chains and the agent starts fine.
So just running:
sudo iptables -F OUTPUT
sudo iptables -F OUTPUT -t raw
sudo ip6tables -F OUTPUT
sudo ip6tables -F OUTPUT -t raw

is enough to get neutron-linuxbridge-agent working with iptables 1.8.5.