The detailed explanation of this is in Patch 4/5. Basically, when firewalld enables their new nftables backend, libvirt virtual networks lose all ability to forward packets from guests out to the physical network, and can only communicate with the host itself as much as firewalld's "public" zone will allow (which isn't much, and doesn't include DHCP or DNS).
Laine Stump (5): docs: add forgotten mentions of forward mode "open" util: move all firewalld-specific stuff into its own file util: new function virFirewallDInterfaceSetZone() network: regain guest network connectivity after firewalld switch to nftables network: allow configuring firewalld zone for virtual network bridge device docs/formatnetwork.html.in | 21 ++- docs/news.xml | 40 ++++++ docs/schemas/basictypes.rng | 6 + docs/schemas/network.rng | 6 + include/libvirt/virterror.h | 1 + libvirt.spec.in | 16 +++ src/conf/network_conf.c | 14 +- src/conf/network_conf.h | 1 + src/libvirt_private.syms | 4 + src/network/Makefile.inc.am | 10 +- src/network/bridge_driver_linux.c | 25 ++++ src/network/libvirt.zone | 14 ++ src/util/Makefile.inc.am | 2 + src/util/virerror.c | 1 + src/util/virfirewall.c | 86 +----------- src/util/virfirewalld.c | 151 +++++++++++++++++++++ src/util/virfirewalld.h | 36 +++++ src/util/virfirewallpriv.h | 2 - tests/networkxml2xmlin/routed-network.xml | 2 +- tests/networkxml2xmlout/routed-network.xml | 2 +- tests/virfirewalltest.c | 1 + 21 files changed, 350 insertions(+), 91 deletions(-) create mode 100644 src/network/libvirt.zone create mode 100644 src/util/virfirewalld.c create mode 100644 src/util/virfirewalld.h -- 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list