Hi Shengjing Zhu (et al) I've just (finally) attempted to reproduce this on my Buster host, but could not on this attempt. Libvirtd did not change my ip_forward setting from 0 to 1 in the test, but I had to do so manually to re-enable VM networking outside of the host (I don't think I did this manually in the first instance). Docker did not change the FORWARD chain policy since ip_forward was set to 1. My libvirtd VMs are using the default bridged network.
I'll keep trying to reproduce this but for now let's assume that it doesn't happen.
