On 3/17/26 12:36 PM, Michal Privoznik via Devel wrote:
From: Michal Privoznik <mprivozn@redhat.com>
For a network that's <forward mode="open"/> there are no firewall rules added. We should not assume that users will configure NAT, and if they do it should be their responsibility to enable IP forwarding too.
Resolves: https://gitlab.com/libvirt/libvirt/-/work_items/863 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/network/bridge_driver.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index d50d42c98c..ecfce5d9a4 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -2080,8 +2080,9 @@ networkStartNetworkVirtual(virNetworkDriverState *driver, } }
- /* If forward.type != NONE, turn on global IP forwarding */ - if (def->forward.type != VIR_NETWORK_FORWARD_NONE) { + /* If forward.type != NONE and != OPEN, turn on global IP forwarding */ + if (def->forward.type != VIR_NETWORK_FORWARD_NONE && + def->forward.type != VIR_NETWORK_FORWARD_OPEN) { if (v6present && !virNetDevIPCheckIPv6Forwarding()) goto error; /* Precise error message already provided */
Since the entire point of forward='open' was to make it possible to say "don't setup anything about networking aside from creating the bridge itself, leave all that other stuff up to the sysadmin", this makes perfect sense (and if you're wanting to be a purist about it, you could say that it "Fixes: 25e8112d7c32ab271b9cae28f3ccbf5835206693" - the commit 9 1/2 years ago when I added forward mode='open' :-P) Reviewed-by: Laine Stump <laine@redhat.com>