libvirt: "Failed to initialize a valid firewall backend"

18

2

I'm trying to set up a virtual NAT network device without DHCP for libvirt on an Arch Linux host.

What I have tried:

# virsh net-define network.xml 
Network default defined from network.xml

[network.xml]:

<network>
  <name>default</name>
  <bridge name="maas0" />
  <forward mode="nat" />
  <ip address="10.137.0.1" netmask="255.255.255.0" />
</network>

My laptop outputs the following on start-up:

# virsh net-start default
error: Failed to start network default
error: internal error: Failed to initialize a valid firewall backend

All other threads concerning this topic are talking about upgrading software -- I'm using the most current versions:

$ pacman -Q ebtables dnsmasq libvirt iptables
ebtables 2.0.10_4-5
dnsmasq 2.75-1
libvirt 1.3.3-1
iptables 1.4.21-3

What could be the reason for that internal error and what can I do against?

testandby

Posted 2016-04-09T00:03:38.057

Reputation: 189

Answers

30

Installing ebtables and dnsmasq seems to fix the problem. Don't forget to restart the libvirtd service.

The commands:

sudo pacman -Syu ebtables dnsmasq
sudo systemctl restart libvirtd

NOTE: do not forget to close and re-open your virt-manager GUI (if you're using one).

EDIT: The original answer suggested also installing firewalld. This doesn't seem to be necessary for many users, and may add an additional unwanted firewall to your system. However if you want to try it, you can add the following commands as well:

sudo pacman -Syu firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo systemctl restart libvirtd

AliReza Mosajjal

Posted 2016-04-09T00:03:38.057

Reputation: 424

17

There's no need to install firewalld, it's also not listed on ArchLinux wiki, it's just necessary to start ebtables and dnsmasq, with libvirtd/virtlogd afterwards.

– pepper_chico – 2018-01-01T17:51:13.343

11I want to emphasize, restart libvirtd, after installing ebtables and dnsmasq – ThorSummoner – 2018-08-27T00:18:37.187

3

I confirm there's no need to install firewalld, as noted by @pepper_chico (comment) and Stuart P. Bentley (other answer).

– Alex Oliveira – 2019-05-18T18:08:30.993

9

This is the error that comes up if libvirtd was started without ebtables and/or dnsmasq installed. If you've got them installed and you're still having this issue, you probably need to restart the libvirtd service:

sudo systemctl restart libvirtd.service

Credit to the comments on the other answer to this question for illuminating this. I'm submitting it as a new and separate answer to the original question because installing and starting firewalld to solve the original problem is liable to cause new problems: once the firewall daemon is running, most of the services you'll want within your virtual machine, including DHCP, will be blocked by default, meaning that your VMs will not be able to reach the network on initialization.

I lost over an hour of my life trying to track down this problem, and tracing it to a firewall I had just enabled was one of the dumbest sources of a bug that I've ever run into. Don't let it take any time from yours.

Stuart P. Bentley

Posted 2016-04-09T00:03:38.057

Reputation: 691

Asked: 2016-04-09T00:03:38.057

Viewed: 36 312 times

Active: 2020-01-30T02:35:12.257