When ipv6 is enabled, the xen firewall driver ends up calling to xenhost plugin iptables_config command... passing in ip6tables-* commands to run. Unfortunately, xenhost raises when the command is not 'iptables-save' or 'iptables-restore'.
From xensource.log:
[20120218T00:13:19.191Z|debug|xenserver1|39610|Async.host.call_plugin R:58e2ec8ed064|audit] Host.call_plugin host = '69718d30-af03-4369-8420-82e073356697 (xenserver1)'; plugin = 'xenhost'; fn = 'iptables_config'; args = [ run_as_root: True; cmd_args: ["ip6tables-save", "-t", "filter"]; attempts: 5 ]
[20120218T00:13:19.247Z|debug|xenserver1|39610|Async.host.call_plugin R:58e2ec8ed064|dispatcher] Server_helpers.exec exception_handler: Got exception XENAPI_PLUGIN_FAILURE: [ iptables_config; PluginError; Invalid iptables command ]
Note 'ip6tables-save' in command args... and the corresponding code in xenhost that raises.
Of course... xenserver dom0 doesn't even support ipv6. So I guess xenhost needs to just ignore them... or the xen dom0 firewall driver needs to not pass them.
If you happen to add the commands to the supported list in xenhost, you get this:
(nova.compute. manager) : TRACE: Failure: ['XENAPI_ PLUGIN_ FAILURE' , 'iptables_config', 'PluginError', "ip6tables-save v1.3.5: Can't initialize: Address family not supported by protocol\n\n"]