Bug 810464

Summary: ip_forward is not persistent
Product: Red Hat Enterprise Linux 7 Reporter: Matěj Cepl <mcepl>
Component: libvirtAssignee: Laine Stump <laine>
Status: CLOSED NOTABUG QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: acathrow, cwei, dwalsh, dyuan, laine, mmalik, mshao, mzhan, rvokal, ydu
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 807590 Environment:
Last Closed: 2014-07-29 15:42:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 807590    
Bug Blocks:    

Comment 2 Matěj Cepl 2012-04-06 14:37:54 UTC 
16:32:42) laine: Oh, wait - ip_forward is 0.
(16:32:59) laine: How did that happen? libvirtd sets it to 1 every time it's run.
(16:33:26) laine: Try doing "sysctl -w net.ipv4.ip_forward=1", then retry the ping.
(16:33:54) laine: Then set it on permanently in /etc/sysctl.conf
(16:34:13) mcepl: yes
(16:34:17) mcepl: works perfect! 
(16:34:18) mcepl: thanks
(16:34:32) mcepl: OK, I will make a comment to the bug
(16:34:37) laine: sure. It bothers me that something is turning it back off.
Comment 3 Laine Stump 2012-04-06 18:30:29 UTC 
This discussion has taken place before:

https://bugzilla.redhat.com/show_bug.cgi?id=612867

Basically, whenever libvirtd starts a network, it sets ip_forward to 1 in the kernel. Unlike with iptables rules, this setting is *not* reloaded if libvirtd is restarted. Other programs/services (e.g. NetworkManager) may call "sysctl -p" at some later time, potentially overwriting libvirtd's ip_forward=1 with ip_forward=0.

See https://bugzilla.redhat.com/612867#c6 for a couple of suggestions that were rejected in discussion (in favor of inaction).

I've just added a page to the upstream libvirt Troubleshooting wiki that details this problem:

http://wiki.libvirt.org/page/Guest_can_reach_host%2C_but_can%27t_reach_outside_network
Comment 5 Bill Nottingham 2012-04-10 21:02:17 UTC 
libvirt could write something to /run/sysctl.d for the device with ip_forward=1.

This *should* handle all sysctl reloads until the next reboot.
Comment 7 Laine Stump 2014-07-29 15:42:21 UTC 
This appears to be a non-issue in RHEL7. Default sysctl settings have been moved to /usr/lib/sysctl.d, they do not contain an "ip_forward = 0" setting, and anyway even if such a setting is added there, it isn't honored when "sysctl -p" is run. Additionally, restarting NetworkManager also doesn't set ip_forward back to 0.

If someone were to manually add ip_forward=0 to /etc/sysctl.conf (which is deprecated, as far as I understand), running "sysctl -p" or restarting NetworkManager would set it back to 0. However, that would require the user making that modification, since /etc/sysctl.conf is now delivered as an empty file (except for some comments).