nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_output \ iif \ virbr0 \ counter \ reject nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_input \ oif \ virbr0 \ counter \ reject nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_cross \ iif \ virbr0 \ oif \ virbr0 \ counter \ accept nft \ -ae insert \ rule \ ip6 \ libvirt_network \ guest_output \ iif \ virbr0 \ counter \ reject nft \ -ae insert \ rule \ ip6 \ libvirt_network \ guest_input \ oif \ virbr0 \ counter \ reject nft \ -ae insert \ rule \ ip6 \ libvirt_network \ guest_cross \ iif \ virbr0 \ oif \ virbr0 \ counter \ accept nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_output \ ip \ saddr \ 192.168.122.0/24 \ iif \ virbr0 \ counter \ accept nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_input \ oif \ virbr0 \ ip \ daddr \ 192.168.122.0/24 \ ct \ state \ related,established \ counter \ accept nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_nat \ ip \ saddr \ 192.168.122.0/24 \ ip \ daddr \ '!=' \ 192.168.122.0/24 \ counter \ masquerade nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_nat \ meta \ l4proto \ udp \ ip \ saddr \ 192.168.122.0/24 \ ip \ daddr \ '!=' \ 192.168.122.0/24 \ counter \ masquerade \ to \ :500-1000 nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_nat \ meta \ l4proto \ tcp \ ip \ saddr \ 192.168.122.0/24 \ ip \ daddr \ '!=' \ 192.168.122.0/24 \ counter \ masquerade \ to \ :500-1000 nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_nat \ ip \ saddr \ 192.168.122.0/24 \ ip \ daddr \ 255.255.255.255/32 \ counter \ return nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_nat \ ip \ saddr \ 192.168.122.0/24 \ ip \ daddr \ 224.0.0.0/24 \ counter \ return nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_output \ ip \ saddr \ 192.168.128.0/24 \ iif \ virbr0 \ counter \ accept nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_input \ oif \ virbr0 \ ip \ daddr \ 192.168.128.0/24 \ ct \ state \ related,established \ counter \ accept nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_nat \ ip \ saddr \ 192.168.128.0/24 \ ip \ daddr \ '!=' \ 192.168.128.0/24 \ counter \ masquerade nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_nat \ meta \ l4proto \ udp \ ip \ saddr \ 192.168.128.0/24 \ ip \ daddr \ '!=' \ 192.168.128.0/24 \ counter \ masquerade \ to \ :500-1000 nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_nat \ meta \ l4proto \ tcp \ ip \ saddr \ 192.168.128.0/24 \ ip \ daddr \ '!=' \ 192.168.128.0/24 \ counter \ masquerade \ to \ :500-1000 nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_nat \ ip \ saddr \ 192.168.128.0/24 \ ip \ daddr \ 255.255.255.255/32 \ counter \ return nft \ -ae insert \ rule \ ip \ libvirt_network \ guest_nat \ ip \ saddr \ 192.168.128.0/24 \ ip \ daddr \ 224.0.0.0/24 \ counter \ return nft \ -ae insert \ rule \ ip6 \ libvirt_network \ guest_output \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ iif \ virbr0 \ counter \ accept nft \ -ae insert \ rule \ ip6 \ libvirt_network \ guest_input \ oif \ virbr0 \ ip6 \ daddr \ 2001:db8:ca2:2::/64 \ ct \ state \ related,established \ counter \ accept nft \ -ae insert \ rule \ ip6 \ libvirt_network \ guest_nat \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ ip6 \ daddr \ '!=' \ 2001:db8:ca2:2::/64 \ counter \ masquerade nft \ -ae insert \ rule \ ip6 \ libvirt_network \ guest_nat \ meta \ l4proto \ udp \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ ip6 \ daddr \ '!=' \ 2001:db8:ca2:2::/64 \ counter \ masquerade \ to \ :500-1000 nft \ -ae insert \ rule \ ip6 \ libvirt_network \ guest_nat \ meta \ l4proto \ tcp \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ ip6 \ daddr \ '!=' \ 2001:db8:ca2:2::/64 \ counter \ masquerade \ to \ :500-1000 nft \ -ae insert \ rule \ ip6 \ libvirt_network \ guest_nat \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ ip6 \ daddr \ ff02::/16 \ counter \ return