Bug 240924

Summary: iptables forward rules for kvm networking not saved
Product: [Fedora] Fedora Reporter: Jeremy West <jwest>
Component: libvirtAssignee: Daniel Veillard <veillard>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: madko, triage, xen-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: bzcl34nup
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-04 01:05:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeremy West 2007-05-22 21:30:05 UTC 
Description of problem:

During my initial startup of virt-manager with KVM, I was pleased to see that
once ip_forward has been enabled, networking works great (NAT).  I'm assuming
that something in libvirt adds the iptables forward rules?  The problem is that
they aren't saved to /etc/sysconfig/iptables, and so if the user shuts down
iptables and then tries to get reach the outside world from one of the guest
OS's nothing works.  Restarting iptables doesn't work, however if you reboot the
machine and restart virt-manager and restart your guest, then it works.  There
should be some intuition behind the scenes to get these rules saved so that the
casual user doesn't have to continue rebooting their machine.

Adding documentation isn't the best answer either.  IMHO it doesn't make Linux
any more useable ... just more frustrating.

Additional info:
Comment 1 Bug Zapper 2008-04-04 00:50:29 UTC 
Based on the date this bug was created, it appears to have been reported
against rawhide during the development of a Fedora release that is no
longer maintained. In order to refocus our efforts as a project we are
flagging all of the open bugs for releases which are no longer
maintained. If this bug remains in NEEDINFO thirty (30) days from now,
we will automatically close it.

If you can reproduce this bug in a maintained Fedora version (7, 8, or
rawhide), please change this bug to the respective version and change
the status to ASSIGNED. (If you're unable to change the bug's version
or status, add a comment to the bug and someone will change it for you.)

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Comment 2 Daniel Berrangé 2008-04-04 01:05:23 UTC 
Sending SIGHUP to libvirtd re-creates the rules. Alternatively do 'service
libvirtd reload'. Finally, libvirt also now registers the rules with lokkit, so
they are persisted when the iptables service is stoppped/started.