In the table built for traffic coming from the VM going to the host make the following changes: - don't ACCEPT the packets but do a 'RETURN' and let the host-specific firewall rules in subsequent rules evaluate whether the traffic is allowed to enter - use the '-m state' in the rules as everywhere else Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com&gt; --- src/nwfilter/nwfilter_ebiptables_driver.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1790,6 +1790,10 @@ iptablesCreateRuleInstance(virNWFilterDe return rc; maySkipICMP = directionIn; + if (needState) + matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT; + else + matchState = NULL; chainPrefix[0] = 'H'; chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP; @@ -1800,8 +1804,8 @@ iptablesCreateRuleInstance(virNWFilterDe ifname, vars, res, - NULL, true, - "ACCEPT", + matchState, true, + "RETURN", isIPv6, maySkipICMP);