>I suspect I'm stumbling because I'm using libvirt NAT instead of a
>bridged device (which
>admitedly I don't fully understand). Dumping the nft ruleset, it looks like my
>zone settings strictly affect the zone's input chain.

Right. Firewalld does not yet support forward filtering. It's in the
works [1], but not functional yet.

[1]: https://github.com/firewalld/firewalld/pull/639

...

>Are these considered FORWARDed packets, and therefore the INPUT chain
>rules I've
>actually written with my rich rule not apply? (They demonstrably are
>not logging..)

Correct.

So what would be the recommended way to block traffic out of the vm but whitelist it's connection with another machine on the LAN? It sounds like I need to be writing rules that belong to the forward chain, but there isn't a way to do that with firewalld yet. Is this when a direct rule would be appropriate? And to which zone should it apply?