I'm trying to use pretty much the default installation of libvirt / kvm on Fedora 32.
After installing libvirt, I'm trying to start up the default network: virsh net-start default.
But for some reason, there's a number of chains which are missing, so it fails. For example the new rules which libvirt tries to load start with:
-A IN_libvirt_allow -p udp --dport 67 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
But there's no IN_libvirt_allow (or IN_libvirt_post, FORWARD_OUT_ZONES, …).
I do have some libvirt related chains like LIBVIRT_INP / LIBVIRT_OUT, but I'm not sure which ones belong to libvirt and which ones to firewalld and how they're supposed to work together.
What piece of setup am I missing?
Best Answer
Fedora 32 is the first Fedora release to switch to nftables. Libvirtd currently creates a mix of firewall rules by writing (legacy) iptables rules directly and asking firewalld to create the rules it needs. You (currently) must be using firewalld for libvirtd to work correctly on this distro.