Comment 5 for bug 595501

It's pretty much the same issue for all three types of "virtual network driver" use cases with libvirt, since libvirt adds iptables rules with REJECTS which you can't override with ufw.

I guess the solution is to tell libvirt to add its rules to configurable chains so that one can hook these chains into a wider firewall config.