On 2020-06-26 00:49, Eric Garver wrote:

There are two things:

  1) the libvirt zone
    - these are managed through firewalld and visible in firewalld UIs

  2) libvirt's iptables rules
    - there are completely separate and independent from firewalld
    - this is what's blocking the traffic to your VM

And there is no way to see what those rules are and verify this? I'd like to submit
a bugzilla, so would you know what component it should be filed against?

Also, wouldn't one expect the rules to be the same for IPv4 and IPv6?Â  
Hope the network diagram attachment
makes it.

I don't recall what libvirt does for IPv6. But it's a different matter 
because IPv6 likely is using NAT/masquerade.

Well, all of my IPv6 addresses are public and assigned by my ISP. I don't think there
is NAT/masquerading needed/involved.