Details are in the commit log of patch 2. Essentially, we've been careful to only create the iptables chains once per run, because it's very expensive, but when firewalld is restarted, it removes our chains, so we need to put them back. I think this may have been a problem as far back as libvirt 5.1.0, when we began putting our iptables rules into private chains. Laine Stump (2): network: make it safe to call networkSetupPrivateChains() multiple times network: force re-creation of iptables private chains on firewalld restart src/network/bridge_driver.c | 16 +++--- src/network/bridge_driver_linux.c | 77 ++++++++++++++++++---------- src/network/bridge_driver_nop.c | 3 +- src/network/bridge_driver_platform.h | 2 +- 4 files changed, 62 insertions(+), 36 deletions(-) -- 2.25.4