From nobody Sun Feb  8 14:12:25 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 205.139.110.120 as permitted sender) client-ip=205.139.110.120;
 envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1591719496; cv=none;
	d=zohomail.com; s=zohoarc;
	b=dfJobYUWUPrbPuUvhwzmHBzaKJbBySIGp9LFi8c4TrSb1xM8tncs9Z/uEXWNCoPeZR+jOvUOks3mzxhq4A1q7Djf0GwSOsYAYvIwnbah18ye/DqTn+yOOJqNeHRwEtcjzm03k49oGZ5ukD0TDTGL+cEQHV6DUei5dqglAeRiATw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1591719496;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=cYx6NWKRaZ9maWwQuYlxW/ygPDIcbpl9F9fmWmbb17g=;
	b=MP+nN6EsFCK8tldCUElYIZW1Da5OxvwOWT3FVAZtrs9Wejt+LebNMZ0s1lR2CJK127WPlYklyRkdQrhWxSXmX0sJbaiRvymyBDsi1RC6RuCdftMXybTL9/9ndiVetbvkrxlf24eXmXQ79Ttx8v/X2OW7murv7JMIUFVVMz4hFW8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<berrange@redhat.com> (p=none dis=none)
 header.from=<berrange@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [205.139.110.120]) by mx.zohomail.com
	with SMTPS id 1591719496705452.0907225071119;
 Tue, 9 Jun 2020 09:18:16 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-514-kfCp7IcyMq6striW_shKBA-1; Tue, 09 Jun 2020 12:18:11 -0400
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
 [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D61A1193F563;
	Tue,  9 Jun 2020 16:18:05 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id B1212101E811;
	Tue,  9 Jun 2020 16:18:05 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6EDF51809561;
	Tue,  9 Jun 2020 16:18:05 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
	[10.5.11.11])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 059GHlY8023903 for <libvir-list@listman.util.phx.redhat.com>;
	Tue, 9 Jun 2020 12:17:47 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id C2FA879C56; Tue,  9 Jun 2020 16:17:47 +0000 (UTC)
Received: from localhost.localdomain.com (unknown [10.36.110.57])
	by smtp.corp.redhat.com (Postfix) with ESMTP id AE74B79598;
	Tue,  9 Jun 2020 16:17:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1591719495;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=cYx6NWKRaZ9maWwQuYlxW/ygPDIcbpl9F9fmWmbb17g=;
	b=M/lMFGeiVXrCyUqJsDTJNbW/4dIUy7F2J/vUhZkmKS8yc4e+y6d0ckd383dtyIGh41+ds0
	LsQd9EFBXRFLAD9Q4nqW4I9PlJsdL230RAKDRRful0poO5h7n7jlCb6+ig+rUMQogIADHh
	rtdQweSkLWmtlFnBIyAQ6BXA/0PV0Ks=
X-MC-Unique: kfCp7IcyMq6striW_shKBA-1
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH v2 2/3] conf: add an attribute to turn on NAT for IPv6
	virtual networks
Date: Tue,  9 Jun 2020 17:17:35 +0100
Message-Id: <20200609161736.4126010-3-berrange@redhat.com>
In-Reply-To: <20200609161736.4126010-1-berrange@redhat.com>
References: <20200609161736.4126010-1-berrange@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-loop: libvir-list@redhat.com
Cc: Laine Stump <laine@redhat.com>
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)

Historically IPv6 did not support NAT, so when IPv6 was added to
libvirt's virtual networks, when requesting <forward mode=3D"nat"/>
libvirt will NOT apply NAT to IPv6 traffic, only IPv4 traffic.

This is an annoying historical design decision as it means we
cannot enable IPv6 automatically. We thus need to introduce a
new attribute

   <forward mode=3D"nat">
     <nat ipv6=3D"yes"/>
   </forward>

The new attribute is a tri-state, so it leaves open the possibility of
us intentionally changing the default behaviour in future to honour
NAT for IPv6.

Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Reviewed-by: Laine Stump <laine@redhat.com>
---
 docs/formatnetwork.html.in                    | 14 +++++++++
 docs/schemas/network.rng                      |  5 ++++
 src/conf/network_conf.c                       | 30 +++++++++++++++++--
 src/conf/network_conf.h                       |  2 ++
 .../nat-network-forward-nat-ipv6.xml          | 10 +++++++
 .../nat-network-forward-nat-ipv6.xml          | 10 +++++++
 tests/networkxml2xmltest.c                    |  1 +
 7 files changed, 69 insertions(+), 3 deletions(-)
 create mode 100644 tests/networkxml2xmlin/nat-network-forward-nat-ipv6.xml
 create mode 100644 tests/networkxml2xmlout/nat-network-forward-nat-ipv6.xml

diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 0383e2d891..fb740111b1 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -276,6 +276,20 @@
     &lt;/nat&gt;
   &lt;/forward&gt;
 ...</pre>
+
+            <p>
+              <span class=3D"since">Since 6.5.0</span> it is possible to
+              enable NAT with IPv6 networking. As noted above, IPv6
+              has historically done plain forwarding and thus to avoid
+              breaking historical compatibility, IPv6 NAT must be
+              explicitly requested.
+            </p>
+            <pre>
+...
+  &lt;forward mode=3D'nat'&gt;
+    &lt;nat ipv6=3D'yes'/&gt;
+  &lt;/forward&gt;
+...</pre>
           </dd>
=20
           <dt><code>route</code></dt>
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
index 88b6f4dfdd..3a5eb3ced4 100644
--- a/docs/schemas/network.rng
+++ b/docs/schemas/network.rng
@@ -181,6 +181,11 @@
               </optional>
               <optional>
                 <element name=3D'nat'>
+                  <optional>
+                    <attribute name=3D"ipv6">
+                      <ref name=3D"virYesNo"/>
+                    </attribute>
+                  </optional>
                   <interleave>
                     <optional>
                       <element name=3D'address'>
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index f1d22b25b1..1b89e2985d 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1358,6 +1358,7 @@ virNetworkForwardNatDefParseXML(const char *networkNa=
me,
     int nNatAddrs, nNatPorts;
     char *addrStart =3D NULL;
     char *addrEnd =3D NULL;
+    char *ipv6 =3D NULL;
     VIR_XPATH_NODE_AUTORESTORE(ctxt);
=20
     ctxt->node =3D node;
@@ -1369,6 +1370,20 @@ virNetworkForwardNatDefParseXML(const char *networkN=
ame,
         goto cleanup;
     }
=20
+    ipv6 =3D virXMLPropString(node, "ipv6");
+    if (ipv6) {
+        int natIPv6;
+        if ((natIPv6 =3D virTristateBoolTypeFromString(ipv6)) <=3D 0) {
+            virReportError(VIR_ERR_XML_ERROR,
+                           _("Invalid ipv6 setting '%s' "
+                             "in network '%s' NAT"),
+                           ipv6, networkName);
+            goto cleanup;
+        }
+        def->natIPv6 =3D natIPv6;
+        VIR_FREE(ipv6);
+    }
+
     /* addresses for SNAT */
     nNatAddrs =3D virXPathNodeSet("./address", ctxt, &natAddrNodes);
     if (nNatAddrs < 0) {
@@ -2516,10 +2531,18 @@ virNetworkForwardNatDefFormat(virBufferPtr buf,
             goto cleanup;
     }
=20
-    if (!addrEnd && !addrStart && !fwd->port.start && !fwd->port.end)
+    if (!addrEnd && !addrStart && !fwd->port.start && !fwd->port.end && !f=
wd->natIPv6)
         return 0;
=20
-    virBufferAddLit(buf, "<nat>\n");
+    virBufferAddLit(buf, "<nat");
+    if (fwd->natIPv6)
+        virBufferAsprintf(buf, " ipv6=3D'%s'", virTristateBoolTypeToString=
(fwd->natIPv6));
+
+    if (!addrEnd && !addrStart && !fwd->port.start && !fwd->port.end) {
+        virBufferAddLit(buf, "/>\n");
+        return 0;
+    }
+    virBufferAddLit(buf, ">\n");
     virBufferAdjustIndent(buf, 2);
=20
     if (addrStart) {
@@ -2627,7 +2650,8 @@ virNetworkDefFormatBuf(virBufferPtr buf,
                          || def->forward.port.start
                          || def->forward.port.end
                          || (def->forward.driverName
-                             !=3D VIR_NETWORK_FORWARD_DRIVER_NAME_DEFAULT)=
);
+                             !=3D VIR_NETWORK_FORWARD_DRIVER_NAME_DEFAULT)
+                         || def->forward.natIPv6);
         virBufferAsprintf(buf, "%s>\n", shortforward ? "/" : "");
         virBufferAdjustIndent(buf, 2);
=20
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
index f2dc388ef0..e3a61c62ea 100644
--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -244,6 +244,8 @@ struct _virNetworkForwardDef {
     /* ranges for NAT */
     virSocketAddrRange addr;
     virPortRange port;
+
+    virTristateBool natIPv6;
 };
=20
 typedef struct _virPortGroupDef virPortGroupDef;
diff --git a/tests/networkxml2xmlin/nat-network-forward-nat-ipv6.xml b/test=
s/networkxml2xmlin/nat-network-forward-nat-ipv6.xml
new file mode 100644
index 0000000000..c360941e1e
--- /dev/null
+++ b/tests/networkxml2xmlin/nat-network-forward-nat-ipv6.xml
@@ -0,0 +1,10 @@
+<network>
+  <name>default</name>
+  <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>
+  <bridge name=3D"virbr0"/>
+  <forward mode=3D"nat">
+    <nat ipv6=3D"yes"/>
+  </forward>
+  <ip family=3D"ipv6" address=3D"2001:db8:ac10:fe01::1" prefix=3D"64">
+  </ip>
+</network>
diff --git a/tests/networkxml2xmlout/nat-network-forward-nat-ipv6.xml b/tes=
ts/networkxml2xmlout/nat-network-forward-nat-ipv6.xml
new file mode 100644
index 0000000000..cfec391ee2
--- /dev/null
+++ b/tests/networkxml2xmlout/nat-network-forward-nat-ipv6.xml
@@ -0,0 +1,10 @@
+<network>
+  <name>default</name>
+  <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>
+  <forward mode=3D'nat'>
+    <nat ipv6=3D'yes'/>
+  </forward>
+  <bridge name=3D'virbr0' stp=3D'on' delay=3D'0'/>
+  <ip family=3D'ipv6' address=3D'2001:db8:ac10:fe01::1' prefix=3D'64'>
+  </ip>
+</network>
diff --git a/tests/networkxml2xmltest.c b/tests/networkxml2xmltest.c
index 700744785a..17817418b7 100644
--- a/tests/networkxml2xmltest.c
+++ b/tests/networkxml2xmltest.c
@@ -140,6 +140,7 @@ mymain(void)
     DO_TEST("nat-network-dns-forward-plain");
     DO_TEST("nat-network-dns-forwarders");
     DO_TEST("nat-network-dns-forwarder-no-resolv");
+    DO_TEST("nat-network-forward-nat-ipv6");
     DO_TEST("nat-network-forward-nat-address");
     DO_TEST("nat-network-forward-nat-no-address");
     DO_TEST("nat-network-mtu");
--=20
2.26.2