So I'm working with a libvirt issue that partly turned out, after many hours, to be "libvirt is adding rules to make its VMs work but it can't override my default reject in my main nftables rule set so nothing works for the VMs". There are many many posts with libvirt specifically about problems like this with nftables. I assume similar things happen with docker and anything else that needs to be like "yeah I know you want to reject traffic but this system I'm managing needs to work". The "problem" is that I have "reject with icmpx type port-unreachable" in my INPUT chain. Which, by the way, I got straight from /etc/nftables/main.nft in the nftables RPM on Fedora 41 (which is what I am running). 30 years of sysadminning leads me to believe that default-deny anything that isn't explicitely accepted is the correct move. :) So my question is, what *should* happen here? As far as I can tell, there is absolutely nothing the libvirt tooling can do to override my reject. I can't jump between tables so I can't do like "jump libvert_inp" in my chain. What's the right move? Options I've thought of; I'm hoping there's something better: - I try to add a very generic blanket accept for "traffic that's probably libvirt related"; I dunno can I add a rule for virbr0 if libvirt hasn't set it up yet?, that seems unlikely to work, and I can't see what else I could do for such a rule - libvirt and I both move to firewalld which I gather doesn't have this problem? - It's just expected that I have to copy the libvirt rules in details into my chain so the accepts happen in the right place Surely this comes up regularly and there must be a standard response?, but I definitely couldn't find anything on the nftables wiki.
