libvirt: "Failed to initialize a valid firewall backend"

Question

I'm trying to set up a virtual NAT network device without DHCP for libvirt on an Arch Linux host.

What I have tried:

# virsh net-define network.xml 
Network default defined from network.xml

[network.xml]:

<network>
  <name>default</name>
  <bridge name="maas0" />
  <forward mode="nat" />
  <ip address="10.137.0.1" netmask="255.255.255.0" />
</network>

My laptop outputs the following on start-up:

# virsh net-start default
error: Failed to start network default
error: internal error: Failed to initialize a valid firewall backend

All other threads concerning this topic are talking about upgrading software -- I'm using the most current versions:

$ pacman -Q ebtables dnsmasq libvirt iptables
ebtables 2.0.10_4-5
dnsmasq 2.75-1
libvirt 1.3.3-1
iptables 1.4.21-3

What could be the reason for that internal error and what can I do against?

Answer 1

Installing ebtables and dnsmasq seems to fix the problem. Don't forget to restart the libvirtd service.

The commands:

sudo pacman -Syu ebtables dnsmasq
sudo systemctl restart libvirtd

NOTE: do not forget to close and re-open your virt-manager GUI (if you're using one).

EDIT: The original answer suggested also installing firewalld. This doesn't seem to be necessary for many users, and may add an additional unwanted firewall to your system. However if you want to try it, you can add the following commands as well:

sudo pacman -Syu firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo systemctl restart libvirtd

Answer 2

This is the error that comes up if libvirtd was started without ebtables and/or dnsmasq installed. If you've got them installed and you're still having this issue, you probably need to restart the libvirtd service:

sudo systemctl restart libvirtd.service

---

Credit to the comments on the other answer to this question for illuminating this. I'm submitting it as a new and separate answer to the original question because installing and starting firewalld to solve the original problem is liable to cause new problems: once the firewall daemon is running, most of the services you'll want within your virtual machine, including DHCP, will be blocked by default, meaning that your VMs will not be able to reach the network on initialization.

I lost over an hour of my life trying to track down this problem, and tracing it to a firewall I had just enabled was one of the dumbest sources of a bug that I've ever run into. Don't let it take any time from yours.

Answer 3

As I am not able yet to add an additional comment to the most upvoted answer, I had to add this solution as a new answer instead.

In some cases, users might not want to replace iptables with iptables-nft as it might break existing rules.

The legacy iptables package contains ebtables-nft which is a symlink to xtables-nft-multi.

You can check this using file:

$ file $(which ebtables-nft)
/usr/bin/iptables: symbolic link to xtables-nft-multi

A simple solution is to create the missing symlinks so libvirt/virt-manager can find it without touching existing packages on your system.

$ ln -s /usr/bin/xtables-nft-multi /usr/bin/ebtables
$ ln -s /usr/bin/xtables-nft-multi /usr/bin/ebtables-save
$ ln -s /usr/bin/xtables-nft-multi /usr/bin/ebtables-restore

Restart the libvirt daemons/sockets (whatever you use) afterwards and the networks should start without the firewall backend error.