From: Michal Privoznik <mprivozn@redhat.com> For a network that's <forward mode="open"/> there are no firewall rules added. We should not assume that users will configure NAT, and if they do it should be their responsibility to enable IP forwarding too. Resolves: https://gitlab.com/libvirt/libvirt/-/work_items/863 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/network/bridge_driver.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index d50d42c98c..ecfce5d9a4 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -2080,8 +2080,9 @@ networkStartNetworkVirtual(virNetworkDriverState *driver, } } - /* If forward.type != NONE, turn on global IP forwarding */ - if (def->forward.type != VIR_NETWORK_FORWARD_NONE) { + /* If forward.type != NONE and != OPEN, turn on global IP forwarding */ + if (def->forward.type != VIR_NETWORK_FORWARD_NONE && + def->forward.type != VIR_NETWORK_FORWARD_OPEN) { if (v6present && !virNetDevIPCheckIPv6Forwarding()) goto error; /* Precise error message already provided */ -- 2.52.0