Clarifying isolated network rules in nftables

Hi, I’m trying to understand how firewall filter works for isolated network in libvirt v11.1.0. When I start the network I can see following rules in nftables: table ip libvirt_network { chain forward { type filter hook forward priority filter; policy accept; counter packets 0 bytes 0 jump guest_cross counter packets 0 bytes 0 jump guest_input counter packets 0 bytes 0 jump guest_output } chain guest_output { iif "virbr3" counter packets 0 bytes 0 reject } chain guest_input { oif "virbr3" counter packets 0 bytes 0 reject } chain guest_cross { iif "virbr3" oif "virbr3" counter packets 0 bytes 0 accept } chain guest_nat { type nat hook postrouting priority srcnat; policy accept; } } But when I start ping from one VM to another on the same isolated network, I don't see an increase in counters in either chain. In the libvirt code, I found a comment in src/network/network_nftables.c: /** * nftablesAddForwardAllowCross: * * Add a rule to @fw to allow traffic to go across @iface (the virtual * network's bridge) from one port to another. This allows all traffic * between guests on the same virtual network. */ But it seems that these rules don't work and are not needed. If I delete this table or some chains, nothing happens. VMs have connectivity with each other on this network. What are these rules for?