[libvirt-users] Easy solution for custom firewall rules- is it possible?

Hello All- I've looked in several places and haven't found an answer to this question: is it possible to have libvirt add custom rules to iptables for virtual network interfaces? I took a look at the "Firewall and Network Filtering in Libvirt" page and it seems overly complicated for what I want to do. Given an interface virbr2 and its network 192.168.4.0/24, libvirt installs the following rules in iptables. Essentially, these rules will drop any packets for the interface virbr2 where the source or destination is not on the 192.168.4.0/24 network. -P FORWARD ACCEPT -A FORWARD -d 192.168.4.0/24 -o virbr2 -j ACCEPT -A FORWARD -s 192.168.4.0/24 -i virbr2 -j ACCEPT -A FORWARD -i virbr2 -o virbr2 -j ACCEPT -A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable I have a VPN server on the 4/24 network- and it hands out addresses in the 8/24 network. So I would like libvirt to also create the following rules in iptables: -A FORWARD -d 192.168.8.0/24 -o virbr2 -j ACCEPT -A FORWARD -s 192.168.8.0/24 -i virbr2 -j ACCEPT I've tried creating direct rules in firewalld for the FORWARD_direct chain. Firewalld happily creates those rules, but they are never reached, because they fall AFTER the libvirt rules. I've also tried creating an IP address on the virbr2 interface in the 8/24 network, but that doesn't work either. How can I get this done? Thanks!! -JK