diff --git a/files/system/etc/libvirt/network.conf b/files/system/etc/libvirt/network.conf
new file mode 100644
index 0000000..1998199
--- /dev/null
+++ b/files/system/etc/libvirt/network.conf
@@ -0,0 +1,29 @@
+# Master configuration file for the network driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# firewall_backend:
+#
+#   determines which subsystem to use to setup firewall packet
+#   filtering rules for virtual networks.
+#
+#   Supported settings:
+#
+#     iptables - use iptables commands to construct the firewall
+#     nftables - use nft commands to construct the firewall
+#
+#   If firewall_backend isn't configured, libvirt will choose the
+#   first available backend from the following list:
+#
+#     [nftables, iptables]
+#
+#   If no backend is available on the host, then the network driver
+#   will fail to start, and an error will be logged.
+#
+#   (NB: switching from one backend to another while there are active
+#   virtual networks *is* supported. The change will take place the
+#   next time that libvirtd/virtnetworkd is restarted - all existing
+#   virtual networks will have their old firewalls removed, and then
+#   reloaded using the new backend.)
+#
+firewall_backend = "iptables"