Alright. I figured it out, but it was… a painful learning experience 
. My last attempt was actually correct, but I had a misconfiguration in the container (basically I had different image loaded than I though, the one with broken networking). So to sum this up, there seems to be two ways of configuring this:
- The simplest one is to move the veth of the container to the
publiczone where your main interface is. However, I assume that this way allpublicfirewall rules will also apply to your containers (please correct me someone if I’m wrong, but it seems logical), and you want to have a separation there. - You can also keep your veths in a separate zone. For that, you need to do this:
Create an lxd zone. This is the zone for containers. Then assign container’s veth to this zone.
firewall-cmd --permanent --new-zone lxd
firewall-cmd --permanent --change-zone=[your-containers-veth-name] --zone=lxd
The next thing is to create a policy:
firewall-cmd --permanent --new-policy lxd-forwarding
firewall-cmd --permanent --policy lxd-forwarding --add-ingress-zone public
firewall-cmd --permanent --policy lxd-forwarding --add-egress-zone lxd
firewall-cmd --permanent --policy lxd-forwarding --set-target ACCEPT
firewall-cmd --reload
This seems to be a minimal setup that did it for me. I hope it will help someone!
And one more thing that may clear up some confusion. I believe the direct rule ipv4 filter FORWARD 0 -j ACCEPT didn’t work because it’s an iptables’ rule and firewalld uses nftables as a backend by default. At least, it uses it in Almalinux 9.
That’s what’s often confusing about LXD, that to get a working network, you often have to do different things on each distro (host and container alike). Also container vs vm may require different steps, and so on. It would be nice if we had a single source of knowledge how to set up bridge/routed networking on all popular distros (with their multiple major versions). I could contribute with what I’m discovering .