If only iptables rules are created then two unnecessary ebtables chains are also created. This patch fixes this. The chains had been cleaned up properly when the interface disappeared, though. --- src/nwfilter/nwfilter_ebiptables_driver.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) Index: libvirt-iterator/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-iterator.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-iterator/src/nwfilter/nwfilter_ebiptables_driver.c @@ -3622,10 +3622,12 @@ ebiptablesApplyNewRules(const char *ifna NWFILTER_SET_EBTABLES_SHELLVAR(&buf); /* create needed chains */ - if (ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_in_set , 1, - &ebtChains, &nEbtChains) < 0 || - ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_out_set, 0, - &ebtChains, &nEbtChains) < 0) { + if ((virHashSize(chains_in_set) > 0 && + ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_in_set , 1, + &ebtChains, &nEbtChains) < 0) || + (virHashSize(chains_out_set) > 0 && + ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_out_set, 0, + &ebtChains, &nEbtChains) < 0)) { goto tear_down_tmpebchains; }