Signed-off-by: Eric Garver <eric@xxxxxxxxxxx> --- src/network/bridge_driver_linux.c | 6 +++++- src/network/libvirt-to-host.policy | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c index 98d2a33a1da0..2c8e43b427cb 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -859,7 +859,11 @@ int networkAddFirewallRules(virNetworkDef *def) * forwarded (and even DHCP and DNS from guest to host * will probably no be permitted by the default zone */ - if (virFirewallDZoneExists("libvirt")) { + if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE && + virFirewallDZoneExists("libvirt-routed")) { + if (virFirewallDInterfaceSetZone(def->bridge, "libvirt-routed") < 0) + return -1; + } else if (virFirewallDZoneExists("libvirt")) { if (virFirewallDInterfaceSetZone(def->bridge, "libvirt") < 0) return -1; } else { diff --git a/src/network/libvirt-to-host.policy b/src/network/libvirt-to-host.policy index 045b35d58d0d..9ec489dc57b5 100644 --- a/src/network/libvirt-to-host.policy +++ b/src/network/libvirt-to-host.policy @@ -8,6 +8,7 @@ </description> <ingress-zone name="libvirt" /> + <ingress-zone name="libvirt-routed" /> <egress-zone name="HOST" /> <protocol value='icmp'/> -- 2.33.0