240924 – iptables forward rules for kvm networking not saved

Bug 240924 - iptables forward rules for kvm networking not saved

Summary: iptables forward rules for kvm networking not saved

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libvirt
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Veillard
QA Contact:
Docs Contact:
URL:
Whiteboard:	bzcl34nup
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-05-22 21:30 UTC by Jeremy West
Modified:	2009-01-01 13:09 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-04-04 01:05:23 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jeremy West 2007-05-22 21:30:05 UTC

Description of problem:

During my initial startup of virt-manager with KVM, I was pleased to see that
once ip_forward has been enabled, networking works great (NAT).  I'm assuming
that something in libvirt adds the iptables forward rules?  The problem is that
they aren't saved to /etc/sysconfig/iptables, and so if the user shuts down
iptables and then tries to get reach the outside world from one of the guest
OS's nothing works.  Restarting iptables doesn't work, however if you reboot the
machine and restart virt-manager and restart your guest, then it works.  There
should be some intuition behind the scenes to get these rules saved so that the
casual user doesn't have to continue rebooting their machine.

Adding documentation isn't the best answer either.  IMHO it doesn't make Linux
any more useable ... just more frustrating.

Additional info:

Comment 1 Bug Zapper 2008-04-04 00:50:29 UTC

Based on the date this bug was created, it appears to have been reported
against rawhide during the development of a Fedora release that is no
longer maintained. In order to refocus our efforts as a project we are
flagging all of the open bugs for releases which are no longer
maintained. If this bug remains in NEEDINFO thirty (30) days from now,
we will automatically close it.

If you can reproduce this bug in a maintained Fedora version (7, 8, or
rawhide), please change this bug to the respective version and change
the status to ASSIGNED. (If you're unable to change the bug's version
or status, add a comment to the bug and someone will change it for you.)

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

Comment 2 Daniel Berrangé 2008-04-04 01:05:23 UTC

Sending SIGHUP to libvirtd re-creates the rules. Alternatively do 'service
libvirtd reload'. Finally, libvirt also now registers the rules with lokkit, so
they are persisted when the iptables service is stoppped/started.

Note You need to log in before you can comment on or make changes to this bug.