What were you trying to do that didn't work?

Use networking on my VM after I updated my host's firewall settings.

What is the impact of this issue to you?

It breaks critical tests. For production: customers can't update their firewall settings without breaking VM connectivity (if using NAT and dynamic IP addresses) for new VMs.

Please provide the package NVR for which the bug is seen:

libvirt-10.8.0-1.el9/el10

How reproducible is this bug?:

100%

Steps to reproduce

1. Have a VM connected to libvirt's default NAT network via

   <interface type="network">
     <mac address="52:54:00:25:23:21"/>
     <source network="default"/>
     <model type="virtio"/>
     <address .../>
   </interface>
   

2.  Reload the firewall rules

   # firewall-cmd --reload

3. Start a VM, log into it and confirm it has an IP address

   ip a

Expected results

The VM has an IP address, it can successfully ping the host.

Actual results

The VM doesn't get an IP address.

Additional notes

1. Starting the VM after restarting the default network fixes the problem,

   virsh net-destroy default; virsh net-start default

2. Running VMs are not affected, they still have connectivity
3. Attaching virtnetworkd logs
4. In the system log I could see

   ...firewalld[98017]: ERROR: UNKNOWN_INTERFACE: 'virbr0' is not in any zone

5. This happened on s390x, I'll request help to try and reproduce on x86_64.
6. Hit by gating test

   virtual_disks.multidisks.hotplug.single_disk_test.disk_scsi_block_size.block_size_512

7. Tried to get IP in guest with

   dhclient

   to no avail.

8. This didn't happen in libvirt-10.5.0-7.el9_5 nor libvirt-10.5.0-5.el10