Why doesn't libvirt cooperate with iptables on fedora 32

I'm trying to use pretty much the default installation of libvirt / kvm on Fedora 32.

After installing libvirt, I'm trying to start up the default network: virsh net-start default.

But for some reason, there's a number of chains which are missing, so it fails. For example the new rules which libvirt tries to load start with:

-A IN_libvirt_allow -p udp --dport 67 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT

But there's no IN_libvirt_allow (or IN_libvirt_post, FORWARD_OUT_ZONES, ...).

I do have some libvirt related chains like LIBVIRT_INP / LIBVIRT_OUT, but I'm not sure which ones belong to libvirt and which ones to firewalld and how they're supposed to work together.

What piece of setup am I missing?

Fedora 32 is the first Fedora release to switch to nftables. Libvirtd currently creates a mix of firewall rules by writing (legacy) iptables rules directly and asking firewalld to create the rules it needs. You (currently) must be using firewalld for libvirtd to work correctly on this distro.

So this turned out to be a problem with configuration from Fedora 31 carried over, but not working correctly. After removing firewalld customisations (remove / move /etc/firewalld/zones somewhere), firewalld initialises the required chains correctly.

There was also a bunch of errors raised in firewalld's log output:

ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory

I did not investigate which specific setting caused it.