diff -Nru libvirt-0.4.0/debian/changelog libvirt-0.4.0/debian/changelog
--- libvirt-0.4.0/debian/changelog	2009-03-09 23:29:41.000000000 -0700
+++ libvirt-0.4.0/debian/changelog	2009-03-09 23:29:42.000000000 -0700
@@ -1,3 +1,13 @@
+libvirt (0.4.0-2ubuntu8.2) hardy-proposed; urgency=low
+
+  * masquerade-only-outbound-traffic.patch:
+    - Ensure masquerading rule only catches traffic leaving the virtual
+      network, and not traffic inside it.  (Backported from commit
+      d175caad25a4e80800d5e7e7d8c9d920a88b78e1 of
+      git://git.et.redhat.com/libvirt.git.)
+
+ -- J. Bruce Fields <bfields@fieldses.org>  Sun, 05 Oct 2008 15:13:50 -0400
+
 libvirt (0.4.0-2ubuntu8.1) hardy-security; urgency=low
 
   * SECURITY UPDATE: fix privilege escalation due to missing read only
diff -Nru libvirt-0.4.0/debian/patches/masquerade-only-outbound-traffic.patch libvirt-0.4.0/debian/patches/masquerade-only-outbound-traffic.patch
--- libvirt-0.4.0/debian/patches/masquerade-only-outbound-traffic.patch	1969-12-31 16:00:00.000000000 -0800
+++ libvirt-0.4.0/debian/patches/masquerade-only-outbound-traffic.patch	2009-03-09 23:29:42.000000000 -0700
@@ -0,0 +1,23 @@
+diff --git a/src/iptables.c b/src/iptables.c
+index 272ecb4..6390e49 100644
+--- a/src/iptables.c
++++ b/src/iptables.c
+@@ -1032,6 +1032,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
+         return iptablesAddRemoveRule(ctx->nat_postrouting,
+                                      action,
+                                      "--source", network,
++                                     "--destination", "!", network,
+                                      "--out-interface", physdev,
+                                      "--jump", "MASQUERADE",
+                                      NULL);
+@@ -1039,6 +1040,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
+         return iptablesAddRemoveRule(ctx->nat_postrouting,
+                                      action,
+                                      "--source", network,
++                                     "--destination", "!", network,
+                                      "--jump", "MASQUERADE",
+                                      NULL);
+     }
+-- 
+1.5.5.rc1
+
diff -Nru libvirt-0.4.0/debian/patches/series libvirt-0.4.0/debian/patches/series
--- libvirt-0.4.0/debian/patches/series	2009-03-09 23:29:41.000000000 -0700
+++ libvirt-0.4.0/debian/patches/series	2009-03-09 23:29:42.000000000 -0700
@@ -9,4 +9,5 @@
 nic-model.patch -p0
 disk-bus.patch
 graceful_shutdown.patch -p0
+masquerade-only-outbound-traffic.patch
 CVE-2008-5086.patch