diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index 8c77c50a8c..7220659ed5 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1594,6 +1594,15 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt)
                                def->name);
                 goto error;
             }
+            if (def->bridge && (def->nForwardIfs || nForwardPfs)) {
+                virReportError(VIR_ERR_XML_ERROR,
+                               _("A network with forward mode='%s' can specify "
+                                 "a  bridge name or a forward dev, but not "
+                                 "both (network '%s')"),
+                               virNetworkForwardTypeToString(def->forwardType),
+                               def->name);
+                goto error;
+            }
             break;
         }
     }
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 946bb20dcd..bc01fe5bac 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -857,6 +857,7 @@ virNetworkDefParseString;
 virNetworkDeleteConfig;
 virNetworkFindByName;
 virNetworkFindByUUID;
+virNetworkForwardTypeToString;
 virNetworkIpDefNetmask;
 virNetworkIpDefPrefix;
 virNetworkList;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index e8ea77f387..00cffee479 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -2751,6 +2751,35 @@ networkValidate(struct network_driver *driver,
             return -1;
 
         virNetworkSetBridgeMacAddr(def);
+    } else {
+        /* They are also the only types that currently support setting
+         * an IP address for the host-side device (bridge)
+         */
+        if (virNetworkDefGetIpByIndex(def, AF_UNSPEC, 0)) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                           _("Unsupported <ip> element in network %s "
+                             "with forward mode='%s'"),
+                           def->name,
+                           virNetworkForwardTypeToString(def->forwardType));
+            return -1;
+        }
+        if (def->dns &&
+            (def->dns->ntxtrecords || def->dns->nhosts || def->dns->nsrvrecords)) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                           _("Unsupported <dns> element in network %s "
+                             "with forward mode='%s'"),
+                           def->name,
+                           virNetworkForwardTypeToString(def->forwardType));
+            return -1;
+        }
+        if (def->domain) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                           _("Unsupported <domain> element in network %s "
+                             "with forward mode='%s'"),
+                           def->name,
+                           virNetworkForwardTypeToString(def->forwardType));
+            return -1;
+        }
     }
 
     /* We only support dhcp on one IPv4 address per defined network */