I am trying to use libvirt and ufw at the same host, but both of them insert a lot of firewall rules and own tables and they don't always play nice togethter.
The last problem I had was that ufw inserts its rules after libvirt. This worked fine as libvirt mostly has specific rules that only apply to its own interfaces and probably it is good when ufw does not interfere with the rules needed for libvirt. But in the FORWARD table, libvirt inserts a final REJECT rule in one of its tables breaking all "ufw route" rules as the libvirt table comes before the ufw table.
My current workaround is to manually change iptables, but I wanted to use ufw in the hope that it plays together with libvirt cleaner than manual rules, because loading rules, e.g., from netfilter-persistent could possibly remove the tables created automatically by libvirt. Using manual rules in addition to the two automated systems is, of course, the worst solution as there are now three places where rules are coming from.
What is the best-practice for iptables/nftables or possibly ufw on a libvirt host?
