Hi, I recently installed a test box using CentOS 8 and installed a CentOS 8 guest via libvirt (KVM). I need to use "routed" forwarding as the datacenter only gives me individual IPs which are routed to the physical interface and the switch only accepts packets with a well-known MAC address. On the host I enabled firewalld and moved the guest to a specific firewalld zone. I verified that libvirt is detecting firewalld. My idea was that I could use this to create somewhat fine-grained filters on the host for traffic from the internet to the guest (and possibly vice-versa). However it seems like that does not work the way I wanted: It seems as if nothing changes when I allow/disallow SSH for that zone. I can still ssh from the internet to the guest. After several reads on the documentation I have a guess of what might be going on but I'd like to confirm that: https://libvirt.org/firewall.html#fw-firewalld-and-virtual-network-driver
If firewalld is active on the host, libvirt will attempt to place the bridge interface of a libvirt virtual network into the firewalld zone named "libvirt" (thus making all guest->host traffic on that network subject to the rules of the "libvirt" zone). Does that mean libvirt's firewalld usage is ONLY for traffic guest->host and does not affect all other traffic (e.g. host->guest, guest<->internet)? That sounds incredibly narrow (and not very useful for me) but it would explain why I don't see any effects in my experiment...
--- In a related note it would be nice if there was a way to make routed setups with individual IPs easier. This problem hunts me for more than 10 years (I think I posted something in 2009 - still the same problem basically) and it would be nice if libvirt could somehow support this use case better: I want to allow traffic guest <-> internet in a routed setup. libvirt generates iptables rules like these: Chain LIBVIRT_FWO (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- br-private * 10.11.0.0/24 0.0.0.0/0 0 0 REJECT all -- br-private * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- br-public * (NETWORK IP ) 0.0.0.0/0 43 3232 REJECT all -- br-public * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable I my case "NETWORK IP" is a /32 IPv4 and AFAIK I have to put the host's IPv4 here (which is basically the router) so I can assign the guest IP inside the VM. What I need is basically a rule like ACCEPT one above but with the GUEST IP. I have some elaborate Python script which I can use as a "network" hook but that requires parsing output of "iptables" due to libvirt's events (e.g. libvirtd restart triggers one "plugged" event per VM). Thank you very much, Felix