virsh net-start default produces this output: error: Failed to start network default error: out of memory Since I have 32GB of ram and this isn't the problem, turning on the debug I see: 2015-05-21 15:05:29.012+0000: 1262: error : virFirewallValidateBackend:193 : direct firewall backend requested, but /sbin/ip6tables is not available: No such file or directory I actually don't have ip6tables because this system is configured for ipv4 only. Compiling iptables with ipv6 support produces the ip6tables binary and solves the problem. Version-Release number of selected component (if applicable): 1.2.14 / 1.2.15 Maybe it should be optional because not all users need ipv6.
FYI when writing this code it was decided that we would mandate the existence of ip6tables, since that is the common case, and even if people have IPv6 switched off in the running kernel, there's no serious downside to having the ip6tables binary available unconditionally. Assuming this simplified the error handling in the libvirt code. Agreed, we nneed a much improved error message though.
I just posted this upstream: https://www.redhat.com/archives/libvir-list/2015-May/msg00747.html It follows Dan's suggestion of logging the error: Failed to initialize a valid firewall backend instead of out of memory
Pushed upstream, will be in 1.2.16: commit a9c53462fbaee15b9aa151cbd35fe906bdda1810 Author: Laine Stump <laine> Date: Thu May 21 13:36:18 2015 -0400 util: better error message after failure to initialize firewall backend