Vagrant cannot mount /vagrant

I am trying to use Vagratn with the following Vagrantfile:

Vagrant.configure("2") do |config|
  # The most common configuration options are documented and commented below.
  # For a complete reference, please see the online documentation at
  # https://docs.vagrantup.com.

  # Every Vagrant development environment requires a box. You can search for
  # boxes at https://vagrantcloud.com/search.
  config.vm.box = "kalilinux/rolling"

  # Disable automatic box update checking. If you disable this, then
  # boxes will only be checked for updates when the user runs
  # `vagrant box outdated`. This is not recommended.
  # config.vm.box_check_update = false

  # Create a forwarded port mapping which allows access to a specific port
  # within the machine from a port on the host machine. In the example below,
  # accessing "localhost:8080" will access port 80 on the guest machine.
  # NOTE: This will enable public access to the opened port
  # config.vm.network "forwarded_port", guest: 80, host: 8080

  # Create a forwarded port mapping which allows access to a specific port
  # within the machine from a port on the host machine and only allow access
  # via 127.0.0.1 to disable public access
  # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"

  # Create a private network, which allows host-only access to the machine
  # using a specific IP.
  # config.vm.network "private_network", ip: "192.168.33.10"

  # Create a public network, which generally matched to bridged network.
  # Bridged networks make the machine appear as another physical device on
  # your network.
  # config.vm.network "public_network"

  # Share an additional folder to the guest VM. The first argument is
  # the path on the host to the actual folder. The second argument is
  # the path on the guest to mount the folder. And the optional third
  # argument is a set of non-required options.
  # config.vm.synced_folder "../data", "/vagrant_data"

  # Provider-specific configuration so you can fine-tune various
  # backing providers for Vagrant. These expose provider-specific options.
  # Example for VirtualBox:
  #
  # config.vm.provider "virtualbox" do |vb|
  #   # Display the VirtualBox GUI when booting the machine
  #   vb.gui = true
  #
  #   # Customize the amount of memory on the VM:
  #   vb.memory = "1024"
  # end
  #
  # View the documentation for the provider you are using for more
  # information on available options.

  # Enable provisioning with a shell script. Additional provisioners such as
  # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
  # documentation for more information about their specific syntax and use.
  # config.vm.provision "shell", inline: <<-SHELL
  #   apt-get update
  #   apt-get install -y apache2
  # SHELL
end

And when starting I get this error:

Hack> vagrant halt
==> default: Attempting graceful shutdown of VM...
raygoza@localhost:~/Schreibtisch/Hack> vagrant halt
raygoza@localhost:~/Schreibtisch/Hack> vagrant up
Bringing machine 'default' up with 'libvirt' provider...
==> default: Checking if box 'kalilinux/rolling' version '2023.2.0' is up to date...
==> default: Creating shared folders metadata...
==> default: Starting domain.
==> default: Waiting for domain to get an IP address...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address: 192.168.121.180:22
    default: SSH username: vagrant
    default: SSH auth method: private key
    default: Warning: Connection refused. Retrying...
==> default: Machine booted and ready!
==> default: Exporting NFS shared folders...
==> default: Preparing to edit /etc/exports. Administrator privileges will be required...
[sudo] Passwort für root: 
==> default: Mounting NFS shared folders...
The following SSH command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!

mount -o vers=3,udp 192.168.121.1:/home/user/Schreibtisch/Hack /vagrant

Stdout from the command:



Stderr from the command:

mount.nfs: Connection refused

I am not familiar with Vagrant, but the error means there is no NFS service with UDP support on host 192.168.121.1 or firewall on this host blocks it.

I activate NFS in yast. So no idea, not sure if have to edit firewall-cmd

The obvious first step in answering it - stop firewall and check if it works now.

My /etc/exports in the meanwhlie

# VAGRANT-BEGIN: 1000 11111111-1111-1111-1111-1111111111111
"/home/raygoza/user/Hack" 192.168.121.111(rw,no_subtree_check,all_squash,anonuid=1000,anongid=100,fsid=1556062365)
# VAGRANT-END: 1000 11111111-1111-1111-1111-11111111111

How can I disable firewall?, or is just enough with systemctl stop firewalld? because the same error happens

Then it is not firewall. Post full output of

rpcinfo -p

> sudo rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  56403  status
    100024    1   tcp  40665  status
    100005    1   udp  20048  mountd
    100005    1   tcp  20048  mountd
    100005    2   udp  20048  mountd
    100005    2   tcp  20048  mountd
    100005    3   udp  20048  mountd
    100005    3   tcp  20048  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100003    3   udp   2049  nfs
    100227    3   udp   2049  nfs_acl
    100021    1   udp  44334  nlockmgr
    100021    3   udp  44334  nlockmgr
    100021    4   udp  44334  nlockmgr
    100021    1   tcp  37143  nlockmgr
    100021    3   tcp  37143  nlockmgr
    100021    4   tcp  37143  nlockmgr

Just to be sure - you are doing it on the host 192.168.121.1? To verify

rpcinfo -p 192.168.121.1

Here from the host

> sudo rpcinfo -p 192.168.121.1
[sudo] Passwort für root: 
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  56403  status
    100024    1   tcp  40665  status
    100005    1   udp  20048  mountd
    100005    1   tcp  20048  mountd
    100005    2   udp  20048  mountd
    100005    2   tcp  20048  mountd
    100005    3   udp  20048  mountd
    100005    3   tcp  20048  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100003    3   udp   2049  nfs
    100227    3   udp   2049  nfs_acl
    100021    1   udp  44334  nlockmgr
    100021    3   udp  44334  nlockmgr
    100021    4   udp  44334  nlockmgr
    100021    1   tcp  37143  nlockmgr
    100021    3   tcp  37143  nlockmgr
    100021    4   tcp  37143  nlockmgr

Still looks good. Could you show as root

ss -lnup

You are sure that I really disabled the firewall?

[sudo] Passwort für root: 
State      Recv-Q     Send-Q                              Local Address:Port            Peer Address:Port     Process                                                                                                       
UNCONN     0          0                                         0.0.0.0:44334                0.0.0.0:*                                                                                                                      
UNCONN     0          0                                         0.0.0.0:20048                0.0.0.0:*         users:(("rpc.mountd",pid=25325,fd=7))                                                                        
UNCONN     0          0                                         0.0.0.0:5353                 0.0.0.0:*         users:(("avahi-daemon",pid=2231,fd=11))                                                                      
UNCONN     0          0                                         0.0.0.0:38587                0.0.0.0:*         users:(("avahi-daemon",pid=2231,fd=13))                                                                      
UNCONN     0          0                                         0.0.0.0:64018                0.0.0.0:*         users:(("rpcbind",pid=2718,fd=10))                                                                           
UNCONN     0          0                                         0.0.0.0:56403                0.0.0.0:*         users:(("rpc.statd",pid=2719,fd=7))                                                                          
UNCONN     0          0                                   192.168.121.1:53                   0.0.0.0:*         users:(("dnsmasq",pid=17279,fd=5))                                                                           
UNCONN     0          0                                   192.168.122.1:53                   0.0.0.0:*         users:(("dnsmasq",pid=3103,fd=5))                                                                            
UNCONN     0          0                                  0.0.0.0%virbr1:67                   0.0.0.0:*         users:(("dnsmasq",pid=17279,fd=3))                                                                           
UNCONN     0          0                                  0.0.0.0%virbr0:67                   0.0.0.0:*         users:(("dnsmasq",pid=3103,fd=3))                                                                            
UNCONN     0          0                                         0.0.0.0:111                  0.0.0.0:*         users:(("rpcbind",pid=2718,fd=5),("systemd",pid=1,fd=64))                                                    
UNCONN     0          0                                       127.0.0.1:323                  0.0.0.0:*         users:(("chronyd",pid=2519,fd=5))                                                                            
UNCONN     0          0                                       127.0.0.1:778                  0.0.0.0:*         users:(("rpc.statd",pid=2719,fd=9))                                                                          
UNCONN     0          0                                         0.0.0.0:2049                 0.0.0.0:*                                                                                                                                                                                                 
UNCONN     0          0                                            [::]:20048                   [::]:*         users:(("rpc.mountd",pid=25325,fd=9))                                                                        
UNCONN     0          0                                            [::]:54435                   [::]:*                                                                                                                      
UNCONN     0          0                                            [::]:5353                    [::]:*         users:(("avahi-daemon",pid=2231,fd=12))                                                                      
UNCONN     0          0                                            [::]:55110                   [::]:*         users:(("rpcbind",pid=2718,fd=11))                                                                           
UNCONN     0          0                                            [::]:111                     [::]:*         users:(("rpcbind",pid=2718,fd=7),("systemd",pid=1,fd=77))                                                    
UNCONN     0          0                                           [::1]:323                     [::]:*         users:(("chronyd",pid=2519,fd=6))                                                                            
UNCONN     0          0               [fe80::344f:e2ec:e587:32ab]%wlan0:546                     [::]:*         users:(("NetworkManager",pid=2450,fd=26))                                                                    
UNCONN     0          0                                            [::]:34099                   [::]:*         users:(("avahi-daemon",pid=2231,fd=14))                                                                      
UNCONN     0          0                                            [::]:2049                    [::]:*                                                                                                                      
UNCONN     0          0                                            [::]:59983                   [::]:*

The libvirt xml that vagrant generated

<domain type="kvm">
  <name>Hack_default</name>
  <uuid>11111111-1111-1111-1111-111111111111</uuid>
  <description>Source: /home/user/Schreibtisch/Hack/Vagrantfile</description>
  <memory unit="KiB">524288</memory>
  <currentMemory unit="KiB">524288</currentMemory>
  <vcpu placement="static">1</vcpu>
  <os>
    <type arch="x86_64" machine="pc-i440fx-7.1">hvm</type>
    <boot dev="hd"/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <cpu mode="host-model" check="partial"/>
  <clock offset="utc"/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type="file" device="disk">
      <driver name="qemu" type="qcow2"/>
      <source file="/var/lib/libvirt/images/Hack_default.img"/>
      <target dev="vda" bus="virtio"/>
      <alias name="ua-box-volume-0"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0"/>
    </disk>
    <controller type="usb" index="0" model="piix3-uhci">
      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x2"/>
    </controller>
    <controller type="pci" index="0" model="pci-root"/>
    <interface type="network">
      <mac address="52:54:00:a2:ed:ee"/>
      <source network="vagrant-libvirt"/>
      <model type="virtio"/>
      <alias name="ua-net-0"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x05" function="0x0"/>
    </interface>
    <serial type="pty">
      <target type="isa-serial" port="0">
        <model name="isa-serial"/>
      </target>
    </serial>
    <console type="pty">
      <target type="serial" port="0"/>
    </console>
    <input type="mouse" bus="ps2"/>
    <input type="keyboard" bus="ps2"/>
    <graphics type="vnc" port="-1" autoport="yes" listen="127.0.0.1" keymap="en-us">
      <listen type="address" address="127.0.0.1"/>
    </graphics>
    <audio id="1" type="none"/>
    <video>
      <model type="cirrus" vram="256" heads="1" primary="yes"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0"/>
    </video>
    <memballoon model="virtio">
      <address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x0"/>
    </memballoon>
  </devices>
</domain>

The same with the network:

<network connections="1" ipv6="yes">
  <name>vagrant-libvirt</name>
  <uuid>11111111-1111-111111111111111111111</uuid>
  <forward mode="nat">
    <nat>
      <port start="1024" end="65535"/>
    </nat>
  </forward>
  <bridge name="virbr1" stp="on" delay="0"/>
  <mac address="52:54:00:76:fe:20"/>
  <ip address="192.168.121.1" netmask="255.255.255.0">
    <dhcp>
      <range start="192.168.121.1" end="192.168.121.254"/>
    </dhcp>
  </ip>
</network>

You said you stopped firewalld. Show output of

iptables -L -n -v
nft list ruleset

I also re enabled it after you say it was not firewall.
And may not be enough to disable firewall, I don’t know

Here iptables:

> sudo iptables -L -n -v
[sudo] Passwort für root: 
Chain INPUT (policy ACCEPT 5238K packets, 305M bytes)
 pkts bytes target     prot opt in     out     source               destination         
5241K  305M LIBVIRT_INP  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   64  4864 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   64  4864 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
   64  4864 LIBVIRT_FWX  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   64  4864 LIBVIRT_FWI  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   33  2508 LIBVIRT_FWO  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 5238K packets, 299M bytes)
 pkts bytes target     prot opt in     out     source               destination         
5240K  299M LIBVIRT_OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   64  4864 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   64  4864 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_FWI (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   684 ACCEPT     all  --  *      virbr1  0.0.0.0/0            192.168.121.0/24     ctstate RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      virbr1  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
   22  1672 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   11   836 ACCEPT     all  --  virbr1 *       192.168.121.0/24     0.0.0.0/0           
    0     0 REJECT     all  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
   22  1672 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  virbr1 virbr1  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_INP (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   134 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    2   656 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    2   146 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    2   712 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain LIBVIRT_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr1  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      virbr1  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    2   656 ACCEPT     udp  --  *      virbr1  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     tcp  --  *      virbr1  0.0.0.0/0            0.0.0.0/0            tcp dpt:68
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    2   656 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:68

Here ntf

table inet firewalld {
        ct helper helper-tftp-udp {
                type "tftp" protocol udp
                l3proto inet
        }

        chain raw_PREROUTING {
                type filter hook prerouting priority raw + 10; policy accept;
                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
                meta nfproto ipv6 fib saddr . iif oif missing drop
        }

        chain mangle_PREROUTING {
                type filter hook prerouting priority mangle + 10; policy accept;
                jump mangle_PREROUTING_POLICIES_pre
                jump mangle_PREROUTING_ZONES
                jump mangle_PREROUTING_POLICIES_post
        }

        chain mangle_PREROUTING_POLICIES_pre {
                jump mangle_PRE_policy_allow-host-ipv6
        }

        chain mangle_PREROUTING_ZONES {
                iifname "virbr1" goto mangle_PRE_libvirt
                iifname "virbr0" goto mangle_PRE_libvirt
                iifname "br0" goto mangle_PRE_public
                iifname "wlan0" goto mangle_PRE_public
                iifname "docker0" goto mangle_PRE_docker
                goto mangle_PRE_public
        }

        chain mangle_PREROUTING_POLICIES_post {
        }

        chain filter_INPUT {
                type filter hook input priority filter + 10; policy accept;
                ct state { established, related } accept
                ct status dnat accept
                iifname "lo" accept
                jump filter_INPUT_POLICIES_pre
                jump filter_INPUT_ZONES
                jump filter_INPUT_POLICIES_post
                ct state { invalid } drop
                reject with icmpx type admin-prohibited
        }

        chain filter_FORWARD {
                type filter hook forward priority filter + 10; policy accept;
                ct state { established, related } accept
                ct status dnat accept
                iifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
                jump filter_FORWARD_POLICIES_pre
                jump filter_FORWARD_IN_ZONES
                jump filter_FORWARD_OUT_ZONES
                jump filter_FORWARD_POLICIES_post
                ct state { invalid } drop
                reject with icmpx type admin-prohibited
        }

        chain filter_OUTPUT {
                type filter hook output priority filter + 10; policy accept;
                oifname "lo" accept
                ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
                jump filter_OUTPUT_POLICIES_pre
                jump filter_OUTPUT_POLICIES_post
        }

        chain filter_INPUT_POLICIES_pre {
                jump filter_IN_policy_allow-host-ipv6
        }

        chain filter_INPUT_ZONES {
                iifname "virbr1" goto filter_IN_libvirt
                iifname "virbr0" goto filter_IN_libvirt
                iifname "br0" goto filter_IN_public
                iifname "wlan0" goto filter_IN_public
                iifname "docker0" goto filter_IN_docker
                goto filter_IN_public
        }

        chain filter_INPUT_POLICIES_post {
        }

        chain filter_FORWARD_POLICIES_pre {
        }

        chain filter_FORWARD_IN_ZONES {
                iifname "virbr1" goto filter_FWDI_libvirt
                iifname "virbr0" goto filter_FWDI_libvirt
                iifname "br0" goto filter_FWDI_public
                iifname "wlan0" goto filter_FWDI_public
                iifname "docker0" goto filter_FWDI_docker
                goto filter_FWDI_public
        }

        chain filter_FORWARD_OUT_ZONES {
                oifname "virbr1" goto filter_FWDO_libvirt
                oifname "virbr0" goto filter_FWDO_libvirt
                oifname "br0" goto filter_FWDO_public
                oifname "wlan0" goto filter_FWDO_public
                oifname "docker0" goto filter_FWDO_docker
                goto filter_FWDO_public
        }

        chain filter_FORWARD_POLICIES_post {
        }

        chain filter_OUTPUT_POLICIES_pre {
        }

        chain filter_OUTPUT_POLICIES_post {
        }

        chain filter_IN_docker {
                jump filter_IN_docker_pre
                jump filter_IN_docker_log
                jump filter_IN_docker_deny
                jump filter_IN_docker_allow
                jump filter_IN_docker_post
                accept
        }

        chain filter_IN_docker_pre {
        }

        chain filter_IN_docker_log {
        }

        chain filter_IN_docker_deny {
        }

        chain filter_IN_docker_allow {
        }

        chain filter_IN_docker_post {
        }

        chain filter_FWDO_docker {
                jump filter_FWDO_docker_pre
                jump filter_FWDO_docker_log
                jump filter_FWDO_docker_deny
                jump filter_FWDO_docker_allow
                jump filter_FWDO_docker_post
                accept
        }

        chain filter_FWDO_docker_pre {
        }

        chain filter_FWDO_docker_log {
        }

        chain filter_FWDO_docker_deny {
        }

        chain filter_FWDO_docker_allow {
        }

        chain filter_FWDO_docker_post {
        }

        chain filter_FWDI_docker {
                jump filter_FWDI_docker_pre
                jump filter_FWDI_docker_log
                jump filter_FWDI_docker_deny
                jump filter_FWDI_docker_allow
                jump filter_FWDI_docker_post
                accept
        }

        chain filter_FWDI_docker_pre {
        }

        chain filter_FWDI_docker_log {
        }

        chain filter_FWDI_docker_deny {
        }

        chain filter_FWDI_docker_allow {
        }

        chain filter_FWDI_docker_post {
        }

        chain mangle_PRE_docker {
                jump mangle_PRE_docker_pre
                jump mangle_PRE_docker_log
                jump mangle_PRE_docker_deny
                jump mangle_PRE_docker_allow
                jump mangle_PRE_docker_post
        }

        chain mangle_PRE_docker_pre {
        }

        chain mangle_PRE_docker_log {
        }

        chain mangle_PRE_docker_deny {
        }

        chain mangle_PRE_docker_allow {
        }

        chain mangle_PRE_docker_post {
        }

        chain filter_IN_public {
                jump filter_IN_public_pre
                jump filter_IN_public_log
                jump filter_IN_public_deny
                jump filter_IN_public_allow
                jump filter_IN_public_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_IN_public_pre {
        }

        chain filter_IN_public_log {
        }

        chain filter_IN_public_deny {
        }

        chain filter_IN_public_allow {
                ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
        }

        chain filter_IN_public_post {
        }

        chain filter_FWDO_public {
                jump filter_FWDO_public_pre
                jump filter_FWDO_public_log
                jump filter_FWDO_public_deny
                jump filter_FWDO_public_allow
                jump filter_FWDO_public_post
        }

        chain filter_FWDO_public_pre {
        }

        chain filter_FWDO_public_log {
        }

        chain filter_FWDO_public_deny {
        }

        chain filter_FWDO_public_allow {
        }

        chain filter_FWDO_public_post {
        }

        chain filter_FWDI_public {
                jump filter_FWDI_public_pre
                jump filter_FWDI_public_log
                jump filter_FWDI_public_deny
                jump filter_FWDI_public_allow
                jump filter_FWDI_public_post
                meta l4proto { icmp, ipv6-icmp } accept
        }

        chain filter_FWDI_public_pre {
        }

        chain filter_FWDI_public_log {
        }

        chain filter_FWDI_public_deny {
        }

        chain filter_FWDI_public_allow {
        }

        chain filter_FWDI_public_post {
        }

        chain mangle_PRE_public {
                jump mangle_PRE_public_pre
                jump mangle_PRE_public_log
                jump mangle_PRE_public_deny
                jump mangle_PRE_public_allow
                jump mangle_PRE_public_post
        }

        chain mangle_PRE_public_pre {
        }

        chain mangle_PRE_public_log {
        }

        chain mangle_PRE_public_deny {
        }

        chain mangle_PRE_public_allow {
        }

        chain mangle_PRE_public_post {
        }

        chain filter_IN_policy_allow-host-ipv6 {
                jump filter_IN_policy_allow-host-ipv6_pre
                jump filter_IN_policy_allow-host-ipv6_log
                jump filter_IN_policy_allow-host-ipv6_deny
                jump filter_IN_policy_allow-host-ipv6_allow
                jump filter_IN_policy_allow-host-ipv6_post
        }

        chain filter_IN_policy_allow-host-ipv6_pre {
        }

        chain filter_IN_policy_allow-host-ipv6_log {
        }

        chain filter_IN_policy_allow-host-ipv6_deny {
        }

        chain filter_IN_policy_allow-host-ipv6_allow {
                icmpv6 type nd-neighbor-advert accept
                icmpv6 type nd-neighbor-solicit accept
                icmpv6 type nd-router-advert accept
                icmpv6 type nd-redirect accept
        }

        chain filter_IN_policy_allow-host-ipv6_post {
        }

        chain mangle_PRE_policy_allow-host-ipv6 {
                jump mangle_PRE_policy_allow-host-ipv6_pre
                jump mangle_PRE_policy_allow-host-ipv6_log
                jump mangle_PRE_policy_allow-host-ipv6_deny
                jump mangle_PRE_policy_allow-host-ipv6_allow
                jump mangle_PRE_policy_allow-host-ipv6_post
        }

        chain mangle_PRE_policy_allow-host-ipv6_pre {
        }

        chain mangle_PRE_policy_allow-host-ipv6_log {
        }

        chain mangle_PRE_policy_allow-host-ipv6_deny {
        }

        chain mangle_PRE_policy_allow-host-ipv6_allow {
        }

        chain mangle_PRE_policy_allow-host-ipv6_post {
        }

        chain filter_IN_libvirt {
                jump filter_IN_libvirt_pre
                jump filter_IN_libvirt_log
                jump filter_IN_libvirt_deny
                jump filter_IN_libvirt_allow
                jump filter_IN_libvirt_post
                accept
        }

        chain filter_IN_libvirt_pre {
        }

        chain filter_IN_libvirt_log {
        }

        chain filter_IN_libvirt_deny {
        }

        chain filter_IN_libvirt_allow {
                udp dport 67 ct state { new, untracked } accept
                udp dport 547 ct state { new, untracked } accept
                tcp dport 53 ct state { new, untracked } accept
                udp dport 53 ct state { new, untracked } accept
                tcp dport 22 ct state { new, untracked } accept
                udp dport 69 ct helper set "helper-tftp-udp"
                udp dport 69 ct state { new, untracked } accept
                meta l4proto icmp ct state { new, untracked } accept
                meta l4proto ipv6-icmp ct state { new, untracked } accept
        }

        chain filter_IN_libvirt_post {
                reject
        }

        chain filter_FWDO_libvirt {
                jump filter_FWDO_libvirt_pre
                jump filter_FWDO_libvirt_log
                jump filter_FWDO_libvirt_deny
                jump filter_FWDO_libvirt_allow
                jump filter_FWDO_libvirt_post
                accept
        }

        chain filter_FWDO_libvirt_pre {
        }

        chain filter_FWDO_libvirt_log {
        }

        chain filter_FWDO_libvirt_deny {
        }

        chain filter_FWDO_libvirt_allow {
        }

        chain filter_FWDO_libvirt_post {
        }

        chain filter_FWDI_libvirt {
                jump filter_FWDI_libvirt_pre
                jump filter_FWDI_libvirt_log
                jump filter_FWDI_libvirt_deny
                jump filter_FWDI_libvirt_allow
                jump filter_FWDI_libvirt_post
                accept
        }

        chain filter_FWDI_libvirt_pre {
        }

        chain filter_FWDI_libvirt_log {
        }

        chain filter_FWDI_libvirt_deny {
        }

        chain filter_FWDI_libvirt_allow {
        }

        chain filter_FWDI_libvirt_post {
        }

        chain mangle_PRE_libvirt {
                jump mangle_PRE_libvirt_pre
                jump mangle_PRE_libvirt_log
                jump mangle_PRE_libvirt_deny
                jump mangle_PRE_libvirt_allow
                jump mangle_PRE_libvirt_post
        }

        chain mangle_PRE_libvirt_pre {
        }

        chain mangle_PRE_libvirt_log {
        }

        chain mangle_PRE_libvirt_deny {
        }

        chain mangle_PRE_libvirt_allow {
        }

        chain mangle_PRE_libvirt_post {
        }
}
table ip firewalld {
        chain nat_PREROUTING {
                type nat hook prerouting priority dstnat + 10; policy accept;
                jump nat_PREROUTING_POLICIES_pre
                jump nat_PREROUTING_ZONES
                jump nat_PREROUTING_POLICIES_post
        }

        chain nat_PREROUTING_POLICIES_pre {
                jump nat_PRE_policy_allow-host-ipv6
        }

        chain nat_PREROUTING_ZONES {
                iifname "virbr1" goto nat_PRE_libvirt
                iifname "virbr0" goto nat_PRE_libvirt
                iifname "br0" goto nat_PRE_public
                iifname "wlan0" goto nat_PRE_public
                iifname "docker0" goto nat_PRE_docker
                goto nat_PRE_public
        }

        chain nat_PREROUTING_POLICIES_post {
        }

        chain nat_POSTROUTING {
                type nat hook postrouting priority srcnat + 10; policy accept;
                jump nat_POSTROUTING_POLICIES_pre
                jump nat_POSTROUTING_ZONES
                jump nat_POSTROUTING_POLICIES_post
        }

        chain nat_POSTROUTING_POLICIES_pre {
        }

        chain nat_POSTROUTING_ZONES {
                oifname "virbr1" goto nat_POST_libvirt
                oifname "virbr0" goto nat_POST_libvirt
                oifname "br0" goto nat_POST_public
                oifname "wlan0" goto nat_POST_public
                oifname "docker0" goto nat_POST_docker
                goto nat_POST_public
        }

        chain nat_POSTROUTING_POLICIES_post {
        }

        chain nat_POST_docker {
                jump nat_POST_docker_pre
                jump nat_POST_docker_log
                jump nat_POST_docker_deny
                jump nat_POST_docker_allow
                jump nat_POST_docker_post
        }

        chain nat_POST_docker_pre {
        }

        chain nat_POST_docker_log {
        }

        chain nat_POST_docker_deny {
        }

        chain nat_POST_docker_allow {
        }

        chain nat_POST_docker_post {
        }

        chain nat_PRE_docker {
                jump nat_PRE_docker_pre
                jump nat_PRE_docker_log
                jump nat_PRE_docker_deny
                jump nat_PRE_docker_allow
                jump nat_PRE_docker_post
        }

        chain nat_PRE_docker_pre {
        }

        chain nat_PRE_docker_log {
        }

        chain nat_PRE_docker_deny {
        }

        chain nat_PRE_docker_allow {
        }

        chain nat_PRE_docker_post {
        }

        chain nat_POST_public {
                jump nat_POST_public_pre
                jump nat_POST_public_log
                jump nat_POST_public_deny
                jump nat_POST_public_allow
                jump nat_POST_public_post
        }

        chain nat_POST_public_pre {
        }

        chain nat_POST_public_log {
        }

        chain nat_POST_public_deny {
        }

        chain nat_POST_public_allow {
        }

        chain nat_POST_public_post {
        }

        chain nat_PRE_public {
                jump nat_PRE_public_pre
                jump nat_PRE_public_log
                jump nat_PRE_public_deny
                jump nat_PRE_public_allow
                jump nat_PRE_public_post
        }

        chain nat_PRE_public_pre {
        }

        chain nat_PRE_public_log {
        }

        chain nat_PRE_public_deny {
        }

        chain nat_PRE_public_allow {
        }

        chain nat_PRE_public_post {
        }

        chain nat_PRE_policy_allow-host-ipv6 {
                jump nat_PRE_policy_allow-host-ipv6_pre
                jump nat_PRE_policy_allow-host-ipv6_log
                jump nat_PRE_policy_allow-host-ipv6_deny
                jump nat_PRE_policy_allow-host-ipv6_allow
                jump nat_PRE_policy_allow-host-ipv6_post
        }

        chain nat_PRE_policy_allow-host-ipv6_pre {
        }

        chain nat_PRE_policy_allow-host-ipv6_log {
        }

        chain nat_PRE_policy_allow-host-ipv6_deny {
        }

        chain nat_PRE_policy_allow-host-ipv6_allow {
        }

        chain nat_PRE_policy_allow-host-ipv6_post {
        }

        chain nat_POST_libvirt {
                jump nat_POST_libvirt_pre
                jump nat_POST_libvirt_log
                jump nat_POST_libvirt_deny
                jump nat_POST_libvirt_allow
                jump nat_POST_libvirt_post
        }

        chain nat_POST_libvirt_pre {
        }

        chain nat_POST_libvirt_log {
        }

        chain nat_POST_libvirt_deny {
        }

        chain nat_POST_libvirt_allow {
        }

        chain nat_POST_libvirt_post {
        }

        chain nat_PRE_libvirt {
                jump nat_PRE_libvirt_pre
                jump nat_PRE_libvirt_log
                jump nat_PRE_libvirt_deny
                jump nat_PRE_libvirt_allow
                jump nat_PRE_libvirt_post
        }

        chain nat_PRE_libvirt_pre {
        }

        chain nat_PRE_libvirt_log {
        }

        chain nat_PRE_libvirt_deny {
        }

        chain nat_PRE_libvirt_allow {
        }

        chain nat_PRE_libvirt_post {
        }
}
table ip6 firewalld {
        chain nat_PREROUTING {
                type nat hook prerouting priority dstnat + 10; policy accept;
                jump nat_PREROUTING_POLICIES_pre
                jump nat_PREROUTING_ZONES
                jump nat_PREROUTING_POLICIES_post
        }

        chain nat_PREROUTING_POLICIES_pre {
                jump nat_PRE_policy_allow-host-ipv6
        }

        chain nat_PREROUTING_ZONES {
                iifname "virbr1" goto nat_PRE_libvirt
                iifname "virbr0" goto nat_PRE_libvirt
                iifname "br0" goto nat_PRE_public
                iifname "wlan0" goto nat_PRE_public
                iifname "docker0" goto nat_PRE_docker
                goto nat_PRE_public
        }

        chain nat_PREROUTING_POLICIES_post {
        }

        chain nat_POSTROUTING {
                type nat hook postrouting priority srcnat + 10; policy accept;
                jump nat_POSTROUTING_POLICIES_pre
                jump nat_POSTROUTING_ZONES
                jump nat_POSTROUTING_POLICIES_post
        }

        chain nat_POSTROUTING_POLICIES_pre {
        }

        chain nat_POSTROUTING_ZONES {
                oifname "virbr1" goto nat_POST_libvirt
                oifname "virbr0" goto nat_POST_libvirt
                oifname "br0" goto nat_POST_public
                oifname "wlan0" goto nat_POST_public
                oifname "docker0" goto nat_POST_docker
                goto nat_POST_public
        }

        chain nat_POSTROUTING_POLICIES_post {
        }

        chain nat_POST_docker {
                jump nat_POST_docker_pre
                jump nat_POST_docker_log
                jump nat_POST_docker_deny
                jump nat_POST_docker_allow
                jump nat_POST_docker_post
        }

        chain nat_POST_docker_pre {
        }

        chain nat_POST_docker_log {
        }

        chain nat_POST_docker_deny {
        }

        chain nat_POST_docker_allow {
        }

        chain nat_POST_docker_post {
        }

        chain nat_PRE_docker {
                jump nat_PRE_docker_pre
                jump nat_PRE_docker_log
                jump nat_PRE_docker_deny
                jump nat_PRE_docker_allow
                jump nat_PRE_docker_post
        }

        chain nat_PRE_docker_pre {
        }

        chain nat_PRE_docker_log {
        }

        chain nat_PRE_docker_deny {
        }

        chain nat_PRE_docker_allow {
        }

        chain nat_PRE_docker_post {
        }

        chain nat_POST_public {
                jump nat_POST_public_pre
                jump nat_POST_public_log
                jump nat_POST_public_deny
                jump nat_POST_public_allow
                jump nat_POST_public_post
        }

        chain nat_POST_public_pre {
        }

        chain nat_POST_public_log {
        }

        chain nat_POST_public_deny {
        }

        chain nat_POST_public_allow {
        }

        chain nat_POST_public_post {
        }

        chain nat_PRE_public {
                jump nat_PRE_public_pre
                jump nat_PRE_public_log
                jump nat_PRE_public_deny
                jump nat_PRE_public_allow
                jump nat_PRE_public_post
        }

        chain nat_PRE_public_pre {
        }

        chain nat_PRE_public_log {
        }

        chain nat_PRE_public_deny {
        }

        chain nat_PRE_public_allow {
        }

        chain nat_PRE_public_post {
        }

        chain nat_PRE_policy_allow-host-ipv6 {
                jump nat_PRE_policy_allow-host-ipv6_pre
                jump nat_PRE_policy_allow-host-ipv6_log
                jump nat_PRE_policy_allow-host-ipv6_deny
                jump nat_PRE_policy_allow-host-ipv6_allow
                jump nat_PRE_policy_allow-host-ipv6_post
        }

        chain nat_PRE_policy_allow-host-ipv6_pre {
        }

        chain nat_PRE_policy_allow-host-ipv6_log {
        }

        chain nat_PRE_policy_allow-host-ipv6_deny {
        }

        chain nat_PRE_policy_allow-host-ipv6_allow {
        }

        chain nat_PRE_policy_allow-host-ipv6_post {
        }

        chain nat_POST_libvirt {
                jump nat_POST_libvirt_pre
                jump nat_POST_libvirt_log
                jump nat_POST_libvirt_deny
                jump nat_POST_libvirt_allow
                jump nat_POST_libvirt_post
        }

        chain nat_POST_libvirt_pre {
        }

        chain nat_POST_libvirt_log {
        }

        chain nat_POST_libvirt_deny {
        }

        chain nat_POST_libvirt_allow {
        }

        chain nat_POST_libvirt_post {
        }

        chain nat_PRE_libvirt {
                jump nat_PRE_libvirt_pre
                jump nat_PRE_libvirt_log
                jump nat_PRE_libvirt_deny
                jump nat_PRE_libvirt_allow
                jump nat_PRE_libvirt_post
        }

        chain nat_PRE_libvirt_pre {
        }

        chain nat_PRE_libvirt_log {
        }

        chain nat_PRE_libvirt_deny {
        }

        chain nat_PRE_libvirt_allow {
        }

        chain nat_PRE_libvirt_post {
        }
}

It looks like it would reject traffic from VM to host (except DHCP, DNS and SSH):

        chain filter_IN_libvirt_post {
                reject
        }

Make sure firewalld is stopped

systemctl stop firewalld.service

Verify that no nftables rules exist

nft list ruleset

Try once more.

Same error after stopping again firewalld and running nft list ruleset which outputed nothing.

Please show output of

ip a

on host where your NFS server is running.