7:30 p.m.
The iptables backend (which was used as the model for the nftables
backend) used the same "filter" and "nat" tables used by other
services on the system (e.g. firewalld or any other host firewall
management application), so it was possible that one of those other
services would be blocking DNS, DHCP, or TFTP from guests to the host;
we added our own rules at the beginning of the chain to allow this
traffic no matter if someone else rejected it later.
But with nftables, each service uses their own table, and all traffic
must be acepted by all tables no matter what - it's not possible for
us to just insert a higher priority/earlier rule that will override
some reject rule put in by, e.g., firewalld. Instead the firewalld (or
other) table must be setup by that service to allow the traffic. That,
along with the fact that our table is already "accept by default",
makes it possible to eliminate the individual accept rules for DHCP,
DNS, and TFTP. And once those rules are eliminated, there is no longer
any need for the guest_to_host or host_to_guest tables.
Signed-off-by: Laine Stump <laine(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/network/network_nftables.c | 36 +++-
.../nat-default-linux.nftables | 104 ----------
.../nat-ipv6-linux.nftables | 182 ------------------
.../nat-ipv6-masquerade-linux.nftables | 182 ------------------
.../nat-many-ips-linux.nftables | 104 ----------
.../nat-no-dhcp-linux.nftables | 182 ------------------
.../nat-tftp-linux.nftables | 130 -------------
.../route-default-linux.nftables | 104 ----------
8 files changed, 33 insertions(+), 991 deletions(-)
diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
index 12a2d4c6ad..f3824ece99 100644
--- a/src/network/network_nftables.c
+++ b/src/network/network_nftables.c
@@ -40,8 +40,12 @@ VIR_LOG_INIT("network.nftables");
#define VIR_FROM_THIS VIR_FROM_NONE
-#define VIR_NFTABLES_INPUT_CHAIN "guest_to_host"
-#define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest"
+#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES
+/* The input and output tables aren't currently used */
+# define VIR_NFTABLES_INPUT_CHAIN "guest_to_host"
+# define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest"
+#endif
+
#define VIR_NFTABLES_FORWARD_CHAIN "forward"
#define VIR_NFTABLES_FWD_IN_CHAIN "guest_input"
#define VIR_NFTABLES_FWD_OUT_CHAIN "guest_output"
@@ -88,9 +92,14 @@ typedef struct {
nftablesGlobalChain nftablesChains[] = {
/* chains for filter rules */
+
+#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES
+ /* nothing is being added to these chains now, so they are effective NOPs */
{NULL, VIR_NFTABLES_INPUT_CHAIN, "{ type filter hook input priority 0; policy
accept; }"},
- {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0;
policy accept; }"},
{NULL, VIR_NFTABLES_OUTPUT_CHAIN, "{ type filter hook output priority 0; policy
accept; }"},
+#endif
+
+ {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priority 0;
policy accept; }"},
{VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
{VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_IN_CHAIN, NULL},
{VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_X_CHAIN, NULL},
@@ -209,6 +218,11 @@ nftablesSetupPrivateChains(virFirewallLayer layer)
}
+#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES
+/* currently these functions aren't used, but they remain in the
+ * source (uncompiled) as examples of adding specific rules to permit
+ * input/output of packets. in case the need arises in the future
+ */
static void
nftablesAddInput(virFirewall *fw,
virFirewallLayer layer,
@@ -315,6 +329,9 @@ nftablesAddUdpOutput(virFirewall *fw,
}
+#endif
+
+
/**
* nftablesAddForwardAllowOut:
*
@@ -801,6 +818,14 @@ nftablesAddGeneralIPv4FirewallRules(virFirewall *fw,
break;
}
+#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES
+ /* These rules copied from the iptables backend, have been removed
+ * from the nftab because they are redundant since we are using our own
+ * table that is default accept; there are no other users that
+ * could add a reject rule that we would need to / be able to
+ * override with these rules
+ */
+
/* allow DHCP requests through to dnsmasq & back out */
nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
@@ -818,6 +843,7 @@ nftablesAddGeneralIPv4FirewallRules(virFirewall *fw,
nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
}
+#endif
/* Catch all rules to block forwarding to/from bridges */
nftablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
@@ -849,6 +875,9 @@ nftablesAddGeneralIPv6FirewallRules(virFirewall *fw,
/* Allow traffic between guests on the same bridge */
nftablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES
+ /* see the note above in nftablesAddGeneralIPv4FirewallRules */
+
if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) {
/* allow DNS over IPv6 & back out */
nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
@@ -859,6 +888,7 @@ nftablesAddGeneralIPv6FirewallRules(virFirewall *fw,
nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546);
}
+#endif
}
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables
b/tests/networkxml2firewalldata/nat-default-linux.nftables
index 8b6e0ba406..298a83d088 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -3,110 +3,6 @@ nft \
rule \
ip \
libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
guest_output \
iifname \
virbr0 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
index 03fb7397cd..615bb4e144 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -3,110 +3,6 @@ nft \
rule \
ip \
libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
guest_output \
iifname \
virbr0 \
@@ -169,84 +65,6 @@ accept
nft \
-ae insert \
rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-547 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-546 \
-counter \
-accept
-nft \
--ae insert \
-rule \
ip \
libvirt_network \
guest_output \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
index 012a3d5d47..27817d8a68 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -3,110 +3,6 @@ nft \
rule \
ip \
libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
guest_output \
iifname \
virbr0 \
@@ -169,84 +65,6 @@ accept
nft \
-ae insert \
rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-547 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-546 \
-counter \
-accept
-nft \
--ae insert \
-rule \
ip \
libvirt_network \
guest_output \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
index 029274ea06..3ab6286d2c 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -3,110 +3,6 @@ nft \
rule \
ip \
libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
guest_output \
iifname \
virbr0 \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
index 03fb7397cd..615bb4e144 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -3,110 +3,6 @@ nft \
rule \
ip \
libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
guest_output \
iifname \
virbr0 \
@@ -169,84 +65,6 @@ accept
nft \
-ae insert \
rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-547 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip6 \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-546 \
-counter \
-accept
-nft \
--ae insert \
-rule \
ip \
libvirt_network \
guest_output \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
index dd84468ad6..298a83d088 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -3,136 +3,6 @@ nft \
rule \
ip \
libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-69 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-69 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
guest_output \
iifname \
virbr0 \
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables
b/tests/networkxml2firewalldata/route-default-linux.nftables
index c1cc8f05b1..09a32f0949 100644
--- a/tests/networkxml2firewalldata/route-default-linux.nftables
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -3,110 +3,6 @@ nft \
rule \
ip \
libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-67 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-68 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-guest_to_host \
-iifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-tcp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
-host_to_guest \
-oifname \
-virbr0 \
-udp \
-dport \
-53 \
-counter \
-accept
-nft \
--ae insert \
-rule \
-ip \
-libvirt_network \
guest_output \
iifname \
virbr0 \
--
2.45.0