libvirt virsh nwfilter: Help using the network filter driver

[pants]

I'm having some trouble configuring the libvirt network filter driver and was hoping someone here might be able to help. I have read through https://libvirt.org/firewall.html#id3 and, after some debugging, I believe the issue is that libvirtd / virtnwfilterd is not adding hooks to the PREROUTING and POSTROUTING ebtables chains as described in the linked doc. Running "ebtables -t nat -L" after libvirt is up I expect to see something like:
 

Bridge chain: PREROUTING, entries: 1, policy: ACCEPT
-i vnet0 -j libvirt-I-vnet0

Bridge chain: POSTROUTING, entries: 1, policy: ACCEPT
-o vnet0 -j libvirt-O-vnet0

Instead I see:

# ebtables -t nat -L
Bridge table: nat

Bridge chain: PREROUTING, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT

When I start a VM which has a 'filter' element defined within its 'interface' element I then see the following error in the libvirt log:
 

2022-04-24 01:51:00.429+0000: 19920: error : virFirewallApplyRuleDirect:690 : internal error: Failed to apply firewall rules /usr/sbin/ebtables --concurrent -t nat -E libvirt-J-vnet2 libvirt-I-vnet2: ebtables v1.8.5 (nf_tables): Chain 'libvirt-J-vnet2' doesn't exists 

The document linked above suggests that the hooks and top level chains should be added before any custom user defined chains are created. From the doc: "…the first thing it does with ebtables, is to add two hooks in POSTROUTING and PREROUTING chains, to redirect traffic to custom chains."

I'm looking for any suggestions as to what might be going wrong or how to proceed. Thanks for any assistance you can provide!

[pants]

The issue described above turned out to be a bug in ebtables. More information on the bug can be found here.

I resolved the issue by installing an older version of ebtables which was not susceptible to the bug from pkgs.org found here.

Edited April 27, 2022 by pants