We were provisioning a new server to act as an hypervisor. This server runs Debian stretch (v9) and was installed with minimal iso file. Our hypervisor will run qemu-kvm, qemu-kvm will be managed using libvirt.

During the setup we got following error while starting a virtual network:

$ sudo virsh net-start default                                                                         
error: Failed to start network default
error: internal error: Failed to initialize a valid firewall backend

We were trapped by this portion of code in libvirt code:

// src/util/virfirewall.c
static int
virFirewallValidateBackend(virFirewallBackend backend)
{
    VIR_DEBUG("Validating backend %d", backend);
    if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC ||
        backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
        int rv = virDBusIsServiceRegistered(VIR_FIREWALL_FIREWALLD_SERVICE);

        VIR_DEBUG("Firewalld is registered ? %d", rv);
        if (rv < 0) {
            if (rv == -2) {
                if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
                    virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                                   _("firewalld firewall backend requested, but service is not running"));
                    return -1;
                } else {
                    VIR_DEBUG("firewalld service not running, trying direct backend");
                    backend = VIR_FIREWALL_BACKEND_DIRECT;
                }
            } else {
                return -1;
            }
        } else {
            VIR_DEBUG("firewalld service running, using firewalld backend");
            backend = VIR_FIREWALL_BACKEND_FIREWALLD;
        }
    }

    if (backend == VIR_FIREWALL_BACKEND_DIRECT) {
        const char *commands[] = {
            IPTABLES_PATH, IP6TABLES_PATH, EBTABLES_PATH
        };
        size_t i;

        for (i = 0; i < ARRAY_CARDINALITY(commands); i++) {
            if (!virFileIsExecutable(commands[i])) {
                virReportSystemError(errno,
                                     _("direct firewall backend requested, but %s is not available"),
                                     commands[i]);
                return -1;
            }
        }
        VIR_DEBUG("found iptables/ip6tables/ebtables, using direct backend");
    }

    currentBackend = backend;

    virFirewallCheckUpdateLocking();

    return 0;
}

In case you are like us, here are the two options available to fix this error:

  • Install iptables + ip6tables + ebtables
  • Use firewalld