On 2/21/25 10:40, robinleepowell@xxxxxxxxx wrote: > So my question is, what *should* happen here? As far as I can tell, > there is absolutely nothing the libvirt tooling can do to override > my reject. The libvirt *tooling* can't do anything about it, but the libvirt *documentation* can. Rather than changing your firewall rules without telling you (!!!), libvirt should just document what network traffic requirements it has, and let you update your firewall appropriately yourself. For example, [1] is the documentation from OpenShift explaining what sort of node-to-node traffic needs to be allowed, so people creating their own firewalls (via any technology) can avoid blocking critical cluster traffic. -- Dan [1] https://docs.openshift.com/container-platform/4.16/installing/install_config/configuring-firewall.html#network-flow-matrix_configuring-firewall
