firewalld creates an empty FORWARD_direct which is jumped to before
the
rest of firewalld rules. You probably want that.
It doesn't look like this is the case. This is my current FORWARD ruleset:
-P FORWARD ACCEPT
-A FORWARD -d 192.168.4.0/24 -o virbr2 -j ACCEPT
-A FORWARD -s 192.168.4.0/24 -i virbr2 -j ACCEPT
-A FORWARD -i virbr2 -o virbr2 -j ACCEPT
-A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
Note that it hits the rule "-A FORWARD -o virbr2 -j REJECT --reject-with
icmp-port-unreachable" before it gets to "-A FORWARD -j FORWARD_direct".
So the packets will never get to these rules I have in FORWARD_direct:
-N FORWARD_direct
-A FORWARD_direct -d 192.168.8.0/24 -o virbr2 -j ACCEPT
-A FORWARD_direct -s 192.168.8.0/24 -i virbr2 -j ACCEPT
I wonder if the libvirtd service is adding those REJECT rules that interfere with jumping
to FORWARD_direct.