A little stumped with my kvm host, especially since I setup the exact same situation on a different host and it works well. I have a proxmox Centos 8 vm that I've had to setup as a kvm host, with a single interface and multiple network bridges for kvm guests. So the vms have to be type hvm (nested hypervisor). I setup a kvm guest (vyos vm) on a bridged interface, expecting it to be able to communicate with the host network, but unless I setup firewalld masquerading, the guest cant communicate with the host's gateway and network, only with the host itself, host + guest can ping each other. Host sysctl.conf is normal: net.ipv4.ip_forward = 1 net.ipv4.conf.all.proxy_arp = 1 net.bridge.bridge-nf-call-arptables = 0 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 Firewalld as well: firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: br0 br1 ens18 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: The nested vm: virsh dominfo Id: 1 Name: UUID: 6ce2fae5-2e57-428b-ad29-49a067866161 OS Type: hvm State: running CPU(s): 4 I havent noticed anything else. Please help, anyone!

I have a Meraki MX100 that I have installed VyOS on. While otherwise perfectly functional, the one thing that I cannot seem to get working is the LED board on the front panel. I'm no developer which I'm sure is 99% of the issue here. The LED's don't show up in /sys/class/leds/. I believe that the LED's are driven from a GPIO interface, but I don't know how to say "Hey Linux these are LED's". The Meraki MX100 is a proprietary design and information is hard to come by. I'm including a picture of the back of the LED board. The header for the cable on the motherboard isn't notably labeled.

I'm looking for a program that takes the output of iptables -S and converts it to a breadth-first listing. Why? I'm doing some work on a router using VyOS where several layers of tables are pre-installed, so it is difficult to trace back all the rules connect to INPUT, FORWARD, and OUTPUT. ----- As per @JeffSchaller 's [request], here is sample output that needs to be parsed:

$ sudo iptables -S 
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N LAN1_IN
-N MINIUPNPD
-N UBNT_FW_IN_SUSPEND_HOOK
-N UBNT_PFOR_FW_HOOK
-N UBNT_PFOR_FW_RULES
-N UBNT_VPN_IPSEC_FW_HOOK
-N UBNT_VPN_IPSEC_FW_IN_HOOK
-N VYATTA_FW_IN_HOOK
-N VYATTA_FW_LOCAL_HOOK
-N VYATTA_FW_OUT_HOOK
-N VYATTA_POST_FW_FWD_HOOK
-N VYATTA_POST_FW_IN_HOOK
-N VYATTA_POST_FW_OUT_HOOK
-N WAN_IN
-N WAN_LOCAL
-N WAN_OUT
-A INPUT -j UBNT_VPN_IPSEC_FW_HOOK
-A INPUT -j VYATTA_FW_LOCAL_HOOK
-A INPUT -j VYATTA_POST_FW_IN_HOOK
-A FORWARD -j MINIUPNPD
-A FORWARD -j UBNT_VPN_IPSEC_FW_IN_HOOK
-A FORWARD -j UBNT_PFOR_FW_HOOK
-A FORWARD -j UBNT_FW_IN_SUSPEND_HOOK
-A FORWARD -j VYATTA_FW_IN_HOOK
-A FORWARD -j VYATTA_FW_OUT_HOOK
-A FORWARD -j VYATTA_POST_FW_FWD_HOOK
-A OUTPUT -j VYATTA_POST_FW_OUT_HOOK
-A LAN1_IN -m comment --comment LAN1_IN-10 -m state --state INVALID -j LOG --log-prefix "[LAN1_IN-10-D]"
-A LAN1_IN -m comment --comment LAN1_IN-10 -m state --state INVALID -j DROP
-A LAN1_IN -p udp -m comment --comment LAN1_IN-20 -m udp --dport 53 -m set --match-set dnsaddr dst -j RETURN
-A LAN1_IN -p udp -m comment --comment LAN1_IN-30 -m set --match-set dnsaddr src -m udp --dport 53 -j RETURN
-A LAN1_IN -m comment --comment LAN1_IN-60 -m state --state NEW -j RETURN
-A LAN1_IN -m comment --comment LAN1_IN-70 -m state --state RELATED -j RETURN
-A LAN1_IN -m comment --comment LAN1_IN-80 -m state --state ESTABLISHED -j RETURN
-A LAN1_IN -m comment --comment "LAN1_IN-10000 default-action drop" -j LOG --log-prefix "[LAN1_IN-default-D]"
-A LAN1_IN -m comment --comment "LAN1_IN-10000 default-action drop" -j DROP
-A VYATTA_FW_IN_HOOK -i eth0 -j WAN_IN
-A VYATTA_FW_IN_HOOK -i eth1 -j LAN1_IN
-A VYATTA_FW_LOCAL_HOOK -i eth0 -j WAN_LOCAL
-A VYATTA_FW_OUT_HOOK -o eth0 -j WAN_OUT
-A VYATTA_POST_FW_FWD_HOOK -j ACCEPT
-A VYATTA_POST_FW_IN_HOOK -j ACCEPT
-A VYATTA_POST_FW_OUT_HOOK -j ACCEPT
-A WAN_IN -m comment --comment WAN_IN-10 -m state --state ESTABLISHED -j RETURN
-A WAN_IN -m comment --comment WAN_IN-20 -m state --state RELATED -j RETURN
-A WAN_IN -m comment --comment WAN_IN-30 -m state --state INVALID -j LOG --log-prefix "[WAN_IN-30-D]"
-A WAN_IN -m comment --comment WAN_IN-30 -m state --state INVALID -j DROP
-A WAN_IN -m comment --comment "WAN_IN-10000 default-action drop" -j DROP
-A WAN_LOCAL -m comment --comment WAN_LOCAL-10 -m state --state ESTABLISHED -j RETURN
-A WAN_LOCAL -m comment --comment WAN_LOCAL-20 -m state --state RELATED -j RETURN
-A WAN_LOCAL -m comment --comment WAN_LOCAL-30 -m state --state INVALID -j LOG --log-prefix "[WAN_LOCAL-30-D]"
-A WAN_LOCAL -m comment --comment WAN_LOCAL-30 -m state --state INVALID -j DROP
-A WAN_LOCAL -m comment --comment "WAN_LOCAL-10000 default-action drop" -j LOG --log-prefix "[WAN_LOCAL-default-D]"
-A WAN_LOCAL -m comment --comment "WAN_LOCAL-10000 default-action drop" -j DROP
-A WAN_OUT -m comment --comment WAN_OUT-10 -m state --state NEW -j RETURN
-A WAN_OUT -m comment --comment WAN_OUT-20 -m state --state RELATED -j RETURN
-A WAN_OUT -m comment --comment WAN_OUT-30 -m state --state ESTABLISHED -j RETURN
-A WAN_OUT -m comment --comment WAN_OUT-40 -m state --state INVALID -j LOG --log-prefix "[WAN_OUT-40-D]"
-A WAN_OUT -m comment --comment WAN_OUT-40 -m state --state INVALID -j DROP
-A WAN_OUT -m comment --comment "WAN_OUT-10000 default-action drop" -j LOG --log-prefix "[WAN_OUT-default-D]"
-A WAN_OUT -m comment --comment "WAN_OUT-10000 default-action drop" -j DROP

-------------- I am selecting @LL3 's answer as correct, first past the post. @LL3 's answer has since been modified to be able to read stdin so I remove the patch doing same

Kudos to perl-master @JeffSchaller 's (slightly later) complete answer showing both a breadth-first listing and separately a *graphviz* output.

Will VyOS still work right if I install Shorewall-lite on it? Shorewall seems like an easier way to setup a network, but VyOS seems pretty great for day-to-day management of a router / firewall. So I was wondering if they are compatible. From what I understand about Shorewall, it just generates a bunch of iptables rules, and VyOS is a Linux dirstro with iptables, so it seems to me that it should work, but I thought I would just check if there were any other caveats about why they are not compatible that I should know about before putting the research into setting something like this up.