Why doesn't libvirt cooperate with iptables on fedora 32

viraptor asked:

I’m trying to use pretty much the default installation of libvirt / kvm on Fedora 32.

After installing libvirt, I’m trying to start up the default network: virsh net-start default.

But for some reason, there’s a number of chains which are missing, so it fails. For example the new rules which libvirt tries to load start with:

-A IN_libvirt_allow -p udp --dport 67 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT

But there’s no IN_libvirt_allow (or IN_libvirt_post, FORWARD_OUT_ZONES, …).

I do have some libvirt related chains like LIBVIRT_INP / LIBVIRT_OUT, but I’m not sure which ones belong to libvirt and which ones to firewalld and how they’re supposed to work together.

What piece of setup am I missing?

My answer:


Fedora 32 is the first Fedora release to switch to nftables. Libvirtd currently creates a mix of firewall rules by writing (legacy) iptables rules directly and asking firewalld to create the rules it needs. You (currently) must be using firewalld for libvirtd to work correctly on this distro.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.