1 files changed, 16 insertions, 0 deletions

diff --git a/etc/nftables.conf b/etc/nftables.conf
index 610aa7e..50bb842 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -14,11 +14,27 @@ table inet filter {
     ct state {established, related} accept comment "allow tracked connections"
     iif lo accept comment "allow from loopback"
     meta l4proto { icmp, icmpv6 } accept comment "allow icmp"
+
+    # libvirt's NAT bridge: let guests reach the host's dnsmasq for DHCP+DNS.
+    # libvirt manages its own forward/NAT chains but does NOT touch the input
+    # chain, so without this rule guests get no IP (DHCP packets are dropped
+    # before dnsmasq sees them).
+    iif "virbr0" udp dport { 53, 67 } accept comment "libvirt: DHCP+DNS from guests"
+    iif "virbr0" tcp dport 53 accept comment "libvirt: DNS over TCP from guests"
+
     pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
     counter
   }
   chain forward {
     type filter hook forward priority filter
     policy drop
+
+    # libvirt's NAT bridge: permit guest traffic to be forwarded. libvirt's
+    # own table accepts these explicitly at the same hook+priority, but with
+    # nftables a packet must be accepted by ALL chains at that priority, so
+    # our policy=drop would otherwise block all guest egress and return
+    # traffic. Mirror libvirt's accepts here for the default NAT bridge.
+    iif "virbr0" accept comment "libvirt: guest egress"
+    oif "virbr0" ct state established,related accept comment "libvirt: guest return"
   }
 }