Recent versions of libvirt have included hardcoded iptables rulsets that do not work with the latest releases of iptables and instead require custom patches; this would be tolerable if iptables failures were ignored/ignorable. However virt-manager, and even the documentation for the raw XML, seems to have no option for either ignoring iptables errors or assigning an action to take on error (fail, warn and continue, retry N times). This causes networking to break on easily forgivable issues, examples: Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/createnet.py", line 357, in finish self.conn.create_network(xml) File "/usr/share/virt-manager/virtManager/connection.py", line 742, in create_network net.create() File "/usr/lib64/python2.6/site-packages/libvirt.py", line 866, in create if ret == -1: raise libvirtError ('virNetworkCreate() failed', net=self) libvirtError: internal error '/sbin/iptables --table filter --delete INPUT --in-interface virbr1 --protocol udp --destination-port 69 --jump ACCEPT' exited with non-zero status 1 and signal 0: iptables: Bad rule (does a matching rule exist in that chain?). Sep 17 21:57:32 localhost libvirtd: 21:57:32.992: error : virRunWithHook:857 : internal error '/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' exited with non-zero status 2 and signal 0: iptables v1.4.9.1: unknown option `--checksum-fill' Sep 17 21:57:32 localhost libvirtd: 21:57:32.992: warning : networkAddIptablesRules:873 : Could not add rule to fixup DHCP response checksums on network 'default'. Sep 17 21:57:32 localhost libvirtd: 21:57:32.992: warning : networkAddIptablesRules:874 : May need to update iptables package & kernel to support CHECKSUM rule. Sep 17 21:57:33 localhost libvirtd: 21:57:33.003: error : virRunWithHook:857 : internal error '/usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/default.pid --conf-file= --listen-address 192.168.122.1 --except-interface lo --dhcp-range 192.168.122.2,192.168.122.254 --dhcp-lease-max=253 --dhcp-no-override' exited with non-zero status 2 and signal 0: Sep 17 21:57:33 localhost libvirtd: 21:57:33.015: error : virRunWithHook:857 : internal error '/sbin/iptables --table mangle --delete POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' exited with non-zero status 2 and signal 0: iptables v1.4.9.1: unknown option `--checksum-fill' Sep 17 21:57:33 localhost libvirtd: 21:57:33.114: error : virRunWithHook:857 : internal error '/sbin/iptables --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 69 --jump ACCEPT' exited with non-zero status 1 and signal 0: iptables: Bad rule (does a matching rule exist in that chain?). Sep 17 21:57:33 localhost libvirtd: 21:57:33.867: warning : qemudStartup:1848 : Unable to create cgroup for driver: No such device or address
These iptables errors are ignored by libvirt and wouldn't cause networking failure. Unfortunatelly, the real error seems to be hidden in the middle and overwritten by other ignorable iptables errors. The reason why networking fails to start for you seems to be: Sep 17 21:57:33 localhost libvirtd: 21:57:33.003: error : virRunWithHook:857 : internal error '/usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/default.pid --conf-file= --listen-address 192.168.122.1 --except-interface lo --dhcp-range 192.168.122.2,192.168.122.254 --dhcp-lease-max=253 --dhcp-no-override' exited with non-zero status 2 and signal 0: Unfortunately, there's no error message from dnsmasq itself there