1. Patchew
  2. Libvirt
  3. View series

[PATCH] network: Don't enable ip_forward for VIR_NETWORK_FORWARD_OPEN

Michal Privoznik via Devel posted 1 patch 6 days, 5 hours ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/b02f353b1e7eacbfaa16e7d2f35b25be8c0e2082.1773765389.git.mprivozn@redhat.com
src/network/bridge_driver.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
[PATCH] network: Don't enable ip_forward for VIR_NETWORK_FORWARD_OPEN
Posted by Michal Privoznik via Devel 6 days, 5 hours ago 
From: Michal Privoznik <mprivozn@redhat.com>

For a network that's <forward mode="open"/> there are no firewall
rules added. We should not assume that users will configure NAT,
and if they do it should be their responsibility to enable IP
forwarding too.

Resolves: https://gitlab.com/libvirt/libvirt/-/work_items/863
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/network/bridge_driver.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index d50d42c98c..ecfce5d9a4 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -2080,8 +2080,9 @@ networkStartNetworkVirtual(virNetworkDriverState *driver,
         }
     }
 
-    /* If forward.type != NONE, turn on global IP forwarding */
-    if (def->forward.type != VIR_NETWORK_FORWARD_NONE) {
+    /* If forward.type != NONE and != OPEN, turn on global IP forwarding */
+    if (def->forward.type != VIR_NETWORK_FORWARD_NONE &&
+        def->forward.type != VIR_NETWORK_FORWARD_OPEN) {
         if (v6present && !virNetDevIPCheckIPv6Forwarding())
             goto error; /* Precise error message already provided */
 
-- 
2.52.0
Re: [PATCH] network: Don't enable ip_forward for VIR_NETWORK_FORWARD_OPEN
Posted by Laine Stump via Devel 5 days, 23 hours ago 
On 3/17/26 12:36 PM, Michal Privoznik via Devel wrote:
> From: Michal Privoznik <mprivozn@redhat.com>
> 
> For a network that's <forward mode="open"/> there are no firewall
> rules added. We should not assume that users will configure NAT,
> and if they do it should be their responsibility to enable IP
> forwarding too.
> 
> Resolves: https://gitlab.com/libvirt/libvirt/-/work_items/863
> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
> ---
>   src/network/bridge_driver.c | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index d50d42c98c..ecfce5d9a4 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -2080,8 +2080,9 @@ networkStartNetworkVirtual(virNetworkDriverState *driver,
>           }
>       }
>   
> -    /* If forward.type != NONE, turn on global IP forwarding */
> -    if (def->forward.type != VIR_NETWORK_FORWARD_NONE) {
> +    /* If forward.type != NONE and != OPEN, turn on global IP forwarding */
> +    if (def->forward.type != VIR_NETWORK_FORWARD_NONE &&
> +        def->forward.type != VIR_NETWORK_FORWARD_OPEN) {
>           if (v6present && !virNetDevIPCheckIPv6Forwarding())
>               goto error; /* Precise error message already provided */
>   

Since the entire point of forward='open' was to make it possible to say 
"don't setup anything about networking aside from creating the bridge 
itself, leave all that other stuff up to the sysadmin", this makes 
perfect sense (and if you're wanting to be a purist about it, you could 
say that it "Fixes: 25e8112d7c32ab271b9cae28f3ccbf5835206693" - the 
commit 9 1/2 years ago when I added forward mode='open' :-P)

Reviewed-by: Laine Stump <laine@redhat.com>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.