What were you trying to do that didn't work?

Start a VM with a specific filterref 

What is the impact of this issue to you?

I don't know. I set Severity Low because AFAIK nwfilter is not a supported libvirt feature on RHEL. It might be used by CNV but that is not expected to use RHEL 10.0 any time soon.

Please provide the package NVR for which the bug is seen:

nftables-1.0.9-4.el10.s390x
libvirt-10.10.0-1.el10.s390x
iptables-nft-1.8.10-8.el10.s390x

How reproducible is this bug?:

100%

Steps to reproduce

1. Define a guest with

   <interface type="network">
     <mac address="52:54:00:aa:43:de"/>
     <source network="default"/>
     <model type="virtio"/>
     <filterref filter="no-arp-mac-spoofing"/>
     <address type="ccw" cssid="0xfe" ssid="0x0" devno="0x0001"/>
   </interface> 

2.  Start the VM

Expected results

The VM will start

Actual results

The VM can't start, error:

error: Failed to start domain 'avocado-vt-vm1'
error: internal error: Failed to run firewall command ebtables --concurrent -t nat -A J-vnet2-arp-mac -p 0x806 --arp-mac-src 52:54:00:aa:43:de -j RETURN: ebtables v1.8.10 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain J-vnet2-arp-mac

Additional information

1. This does work on RHEL 9.6
2. This was hit by test case tp-libvirt/virtual_network.connectivity_check.bridge_interface.linux_br.multiqueue.nwfilter
3. That test case passed recently with libvirt 10.10.0-1 on RHEL 10.0 for x86-64 so unsure if this is due to some different component version or really an s390x-specific issue