From nobody Mon Mar 23 23:24:28 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1773765432; cv=none;
	d=zohomail.com; s=zohoarc;
	b=jtXp/92D7zqJ1gT/NIs85GAUKMf1RcNR1EHFRmgD/aixFSJkOtCk6+r4efkaXliEr3NtfzzPHBsdgWKOWk5sFntZNIeb+v0jsFpDuXi3p4j2w+1G9vl0yP0r5xXz12I166H54TSWPgDTe/poxBSrcGzFkh7CTywSy8LyODGtFqY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773765432;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:Subject:Subject:To:To:Message-Id:Cc;
	bh=5GN8Nc/Nh58OFHXuLZ23xRj/svDA9LjN2TDvLCgRY3c=;
	b=YLFSW95zIEntX9pPbMvk06NuHOqqv59CAb+lY2CgwegFu9I4XTmdQq1gbDZhhMSQnVby3Y/lFtKZbPSTjhkpacFlmkBCKezyzMzw8Pcqc5gWdOboj+RaCqXqKyEklR+ACbU9lS7Gp6ogXWeuKDqoGL4rajPWhmdXxy20GDe92vA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 177376543270286.60890284694096;
 Tue, 17 Mar 2026 09:37:12 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 1FA9A418B1; Tue, 17 Mar 2026 12:37:13 -0400 (EDT)
Received: from [172.19.199.12] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id BB91E418AE;
	Tue, 17 Mar 2026 12:36:40 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 5529D3F356; Tue, 17 Mar 2026 12:36:36 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id D2A9D417E1
	for <devel@lists.libvirt.org>; Tue, 17 Mar 2026 12:36:35 -0400 (EDT)
Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-219-strPtjIROxW8tDy0NDCmPw-1; Tue,
 17 Mar 2026 12:36:33 -0400
Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 2456C18002D0
	for <devel@lists.libvirt.org>; Tue, 17 Mar 2026 16:36:33 +0000 (UTC)
Received: from moe (unknown [10.43.3.236])
	by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 7761930002C3
	for <devel@lists.libvirt.org>; Tue, 17 Mar 2026 16:36:32 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1773765395;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=5GN8Nc/Nh58OFHXuLZ23xRj/svDA9LjN2TDvLCgRY3c=;
	b=eq/MtQMk8iStnUXjOsqsLQ0zwoHxSdzmSPKJaQsXblAD1xqtyR9RmKaKaIEiQJhkzj9uw9
	cLfjbwME3JUHcPQLrROCQRcqt4oDj/o5FRKxhWcP5yn/HKt/EtfhdUQw0A9ZhP6tblj+sn
	rLoU7pU8yhOc75+YV+IVRejh9Y+mdM8=
X-MC-Unique: strPtjIROxW8tDy0NDCmPw-1
X-Mimecast-MFC-AGG-ID: strPtjIROxW8tDy0NDCmPw_1773765393
To: devel@lists.libvirt.org
Subject: [PATCH] network: Don't enable ip_forward for VIR_NETWORK_FORWARD_OPEN
Date: Tue, 17 Mar 2026 17:36:29 +0100
Message-ID: 
 <b02f353b1e7eacbfaa16e7d2f35b25be8c0e2082.1773765389.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: yaix8-KNsUJ_E7Oowo3k6wfKX4UfgjVBVtKFUBNDQy4_1773765393
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: WPT3TAEPSIHIKUQWJDM4VPCIQEDQWWD5
X-Message-ID-Hash: WPT3TAEPSIHIKUQWJDM4VPCIQEDQWWD5
X-MailFrom: mprivozn@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/WPT3TAEPSIHIKUQWJDM4VPCIQEDQWWD5/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Michal Privoznik via Devel <devel@lists.libvirt.org>
Reply-To: Michal Privoznik <mprivozn@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1773765455555158500
Content-Type: text/plain; charset="utf-8"; x-default="true"

From: Michal Privoznik <mprivozn@redhat.com>

For a network that's <forward mode=3D"open"/> there are no firewall
rules added. We should not assume that users will configure NAT,
and if they do it should be their responsibility to enable IP
forwarding too.

Resolves: https://gitlab.com/libvirt/libvirt/-/work_items/863
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Laine Stump <laine@redhat.com>
---
 src/network/bridge_driver.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index d50d42c98c..ecfce5d9a4 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -2080,8 +2080,9 @@ networkStartNetworkVirtual(virNetworkDriverState *dri=
ver,
         }
     }
=20
-    /* If forward.type !=3D NONE, turn on global IP forwarding */
-    if (def->forward.type !=3D VIR_NETWORK_FORWARD_NONE) {
+    /* If forward.type !=3D NONE and !=3D OPEN, turn on global IP forwardi=
ng */
+    if (def->forward.type !=3D VIR_NETWORK_FORWARD_NONE &&
+        def->forward.type !=3D VIR_NETWORK_FORWARD_OPEN) {
         if (v6present && !virNetDevIPCheckIPv6Forwarding())
             goto error; /* Precise error message already provided */
=20
--=20
2.52.0