I could never get the --set-log-denied=all to work, so instead I used the "iptables
-vnL FORWARD" command. I found that there is a rule that essentially says, "If
the destination is 192.168.4.0/24 and the out interface is virbr2, pass it through"
as well as "if the source network is 192.168.4.0/24 and the in interface is virbr2
pass it through". However, there were no such rules for the 192.168.8.0/24 network.
So I need to duplicate those rules except using 192.168.8.0/24 in place of
192.168.4.0/24.
No big deal, right? I'll just add a Direct rule with the correct parameters. I did
that... and the rule is at the BOTTOM of the chain. So the packets never hit that rule
because they're dropped farther up the chain. (I did this by using firewall-config
GUI, going to Direct Configuration, and entering a Direct rule as "ipv4 / mangle /
FORWARD / -1 / -d 192.168.8.0/24 -o virbr2 -j ACCEPT") I thought that setting it to
-1 (or even -65535) would put this rule at the top.
How can I get this Direct rule to go to the top?