libvirts nwfilter module can achieve that.
I'm currently working on opt-out patches to disable that functionality
if wished. I also don't use firewalld.

It's both paternalizing and annoying and takes away user flexilibity in
exchange for nothing.    

Check the nwfilter page to write own filters for the beginning:

some more info:



Am Donnerstag, den 30.05.2019, 21:44 -0400 schrieb Joshua Kramer:
> Hello All-
> I've looked in several places and haven't found an answer to this
> question: is it possible to have libvirt add custom rules to iptables
> for virtual network interfaces?  I took a look at the "Firewall and
> Network Filtering in Libvirt" page and it seems overly complicated
> for
> what I want to do.
> Given an interface virbr2 and its network, libvirt
> installs the following rules in iptables.  Essentially, these rules
> will drop any packets for the interface virbr2 where the source or
> destination is not on the network.
> -A FORWARD -d -o virbr2 -j ACCEPT
> -A FORWARD -s -i virbr2 -j ACCEPT
> -A FORWARD -i virbr2 -o virbr2 -j ACCEPT
> -A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable
> I have a VPN server on the 4/24 network- and it hands out addresses
> in
> the 8/24 network.  So I would like libvirt to also create the
> following rules in iptables:
> -A FORWARD -d -o virbr2 -j ACCEPT
> -A FORWARD -s -i virbr2 -j ACCEPT
> I've tried creating direct rules in firewalld for the FORWARD_direct
> chain.  Firewalld happily creates those rules, but they are never
> reached, because they fall AFTER the libvirt rules.  I've also tried
> creating an IP address on the virbr2 interface in the 8/24 network,
> but that doesn't work either.  How can I get this done?
> Thanks!!
> -JK
