This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 546064 - system-config-firewall destroys libvirt's iptables rules
system-config-firewall destroys libvirt's iptables rules
Status: CLOSED DUPLICATE of bug 227011
Product: Fedora
Classification: Fedora
Component: libvirt (Show other bugs)
12
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Veillard
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-09 17:09 EST by Jeff Bastian
Modified: 2009-12-10 13:16 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-12-10 07:02:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jeff Bastian 2009-12-09 17:09:17 EST
Description of problem:
libvirt creates some FORWARD rules to allow virtual machines to access the network using a virtual (NAT) network.  If you run system-config-firewall to make a change to your firewall settings, it removes the FORWARD rules needed by libvirt.

On a fresh boot, I see:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    virbr0  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 any     192.168.122.0/24     anywhere
    0     0 ACCEPT     all  --  virbr0 virbr0  anywhere             anywhere
    0     0 REJECT     all  --  any    virbr0  anywhere             anywhere            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 any     anywhere             anywhere            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            PHYSDEV match --physdev-is-bridged
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited


After running s-c-firewall, it's reduced to just:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            PHYSDEV match --physdev-is-bridged
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited


And, of course, networking is now broken in the virtual machines.

It also permanently removes the rules from /etc/sysconfig/iptables


Version-Release number of selected component (if applicable):
system-config-firewall-1.2.21-1.fc12.noarch

How reproducible:
every time

Steps to Reproduce:
1. remove /etc/sysconfig/iptables to start from scratch
2. reboot
3. iptables -L                 (note FORWARD rules)
4. system-config-firewall      (enable WWW or something)
5. iptables -L                 (note FORWARD rules)
  
Actual results:
the FORWARD rules created by libvirt are gone

Expected results:
the FORWARD rules are preserved

Additional info:
Comment 1 Jeff Bastian 2009-12-09 18:33:45 EST
This might be a duplicate of bug 539744
Comment 2 Thomas Woerner 2009-12-10 06:14:07 EST
This is a bug in libvirt. 

libvirt was adding custom rules files to the firewall configuration to have the same setup if the firewall has been restarted. At the moment the files are 
not integrated into the firewall anymore and additionally they are empty.

Reassigning to libvirt.
Comment 3 Mark McLoughlin 2009-12-10 07:02:59 EST
libvirt has no sane was of integrating with iptables

We previously tried using lokkit, but if the user had configured iptables manually (i.e. without lokkit) we'd end up clobbering their rules

We simply need a way to say to iptables "we've added these rules, please load them when you restart" without overwriting the current configuration. We also need lokkit/system-config-firewall to not overwrite these rules when the user modifies the configuration

The whole sorry saga is well documented in bug #227011

*** This bug has been marked as a duplicate of bug 227011 ***
Comment 4 Alan Pevec 2009-12-10 13:16:25 EST
In the meantime, workaround is to issue service libvirtd reload after running s-c-firewall to re-insert iptable rules.

Note You need to log in before you can comment on or make changes to this bug.