Bug 546064

Summary: system-config-firewall destroys libvirt's iptables rules
Product: [Fedora] Fedora Reporter: Jeff Bastian <jbastian>
Component: libvirtAssignee: Daniel Veillard <veillard>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 12CC: apevec, berrange, clalance, crobinso, itamar, jforbes, markmc, twoerner, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-10 12:02:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Bastian 2009-12-09 22:09:17 UTC
Description of problem:
libvirt creates some FORWARD rules to allow virtual machines to access the network using a virtual (NAT) network.  If you run system-config-firewall to make a change to your firewall settings, it removes the FORWARD rules needed by libvirt.

On a fresh boot, I see:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    virbr0  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 any     192.168.122.0/24     anywhere
    0     0 ACCEPT     all  --  virbr0 virbr0  anywhere             anywhere
    0     0 REJECT     all  --  any    virbr0  anywhere             anywhere            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 any     anywhere             anywhere            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            PHYSDEV match --physdev-is-bridged
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited


After running s-c-firewall, it's reduced to just:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            PHYSDEV match --physdev-is-bridged
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited


And, of course, networking is now broken in the virtual machines.

It also permanently removes the rules from /etc/sysconfig/iptables


Version-Release number of selected component (if applicable):
system-config-firewall-1.2.21-1.fc12.noarch

How reproducible:
every time

Steps to Reproduce:
1. remove /etc/sysconfig/iptables to start from scratch
2. reboot
3. iptables -L                 (note FORWARD rules)
4. system-config-firewall      (enable WWW or something)
5. iptables -L                 (note FORWARD rules)
  
Actual results:
the FORWARD rules created by libvirt are gone

Expected results:
the FORWARD rules are preserved

Additional info:

Comment 1 Jeff Bastian 2009-12-09 23:33:45 UTC
This might be a duplicate of bug 539744

Comment 2 Thomas Woerner 2009-12-10 11:14:07 UTC
This is a bug in libvirt. 

libvirt was adding custom rules files to the firewall configuration to have the same setup if the firewall has been restarted. At the moment the files are 
not integrated into the firewall anymore and additionally they are empty.

Reassigning to libvirt.

Comment 3 Mark McLoughlin 2009-12-10 12:02:59 UTC
libvirt has no sane was of integrating with iptables

We previously tried using lokkit, but if the user had configured iptables manually (i.e. without lokkit) we'd end up clobbering their rules

We simply need a way to say to iptables "we've added these rules, please load them when you restart" without overwriting the current configuration. We also need lokkit/system-config-firewall to not overwrite these rules when the user modifies the configuration

The whole sorry saga is well documented in bug #227011

*** This bug has been marked as a duplicate of bug 227011 ***

Comment 4 Alan Pevec 2009-12-10 18:16:25 UTC
In the meantime, workaround is to issue service libvirtd reload after running s-c-firewall to re-insert iptable rules.