sysconfig/roles/libvirt/files/libvirt-nftables.patch

--- nftables.nft
+++ nftables.nft
@@ -87,13 +87,31 @@

         ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \
         comment "Accept DHCPv6 replies from IPv6 link-local addresses"
+
+        iifname "virbr0" udp dport 53 accept
+        iifname "virbr0" tcp dport 53 accept
+        iifname "virbr0" udp dport 67 accept
+        iifname "virbr0" tcp dport 67 accept
     }

     chain forward {
         type filter hook forward priority 0; policy drop;
+        ct state invalid drop
+        oifname "virbr0" ip daddr 192.168.122.0/24 ct state { established, related } accept
+        iifname "virbr0" ip saddr 192.168.122.0/24 accept
+        iifname "virbr0" oifname "virbr0" accept
+        oifname "virbr0" reject with icmpx type port-unreachable
+        iifname "virbr0" reject with icmpx type port-unreachable
     }

     chain output {
         type filter hook output priority 0; policy accept;
+    }
+}
+
+table inet nat {
+    chain postrouting {
+        type nat hook postrouting priority 100
+        ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 masquerade
     }
 }