Prevent libvirtd from adding iptables rules by calling /sbin/iptables or /sbin/ip6tables. Let it call "iptables --version" though.
Compile with: gcc -shared -ldl -fPIC no-iptables.c -o no-iptables.so
If needed, add -DNOIPTABLES_DEBUG
Usage: LD_PRELOAD=/path/to/no-iptables.so libvirtd