Red Hat Bugzilla – Bug 240924
iptables forward rules for kvm networking not saved
Last modified: 2009-01-01 08:09:56 EST
Description of problem:
During my initial startup of virt-manager with KVM, I was pleased to see that
once ip_forward has been enabled, networking works great (NAT). I'm assuming
that something in libvirt adds the iptables forward rules? The problem is that
they aren't saved to /etc/sysconfig/iptables, and so if the user shuts down
iptables and then tries to get reach the outside world from one of the guest
OS's nothing works. Restarting iptables doesn't work, however if you reboot the
machine and restart virt-manager and restart your guest, then it works. There
should be some intuition behind the scenes to get these rules saved so that the
casual user doesn't have to continue rebooting their machine.
Adding documentation isn't the best answer either. IMHO it doesn't make Linux
any more useable ... just more frustrating.
Based on the date this bug was created, it appears to have been reported
against rawhide during the development of a Fedora release that is no
longer maintained. In order to refocus our efforts as a project we are
flagging all of the open bugs for releases which are no longer
maintained. If this bug remains in NEEDINFO thirty (30) days from now,
we will automatically close it.
If you can reproduce this bug in a maintained Fedora version (7, 8, or
rawhide), please change this bug to the respective version and change
the status to ASSIGNED. (If you're unable to change the bug's version
or status, add a comment to the bug and someone will change it for you.)
Thanks for your help, and we apologize again that we haven't handled
these issues to this point.
The process we're following is outlined here:
We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Sending SIGHUP to libvirtd re-creates the rules. Alternatively do 'service
libvirtd reload'. Finally, libvirt also now registers the rules with lokkit, so
they are persisted when the iptables service is stoppped/started.