Description of problem: libvirt creates some FORWARD rules to allow virtual machines to access the network using a virtual (NAT) network. If you run system-config-firewall to make a change to your firewall settings, it removes the FORWARD rules needed by libvirt. On a fresh boot, I see: Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any virbr0 anywhere 192.168.122.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- virbr0 any 192.168.122.0/24 anywhere 0 0 ACCEPT all -- virbr0 virbr0 anywhere anywhere 0 0 REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable 0 0 REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable 0 0 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-is-bridged 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited After running s-c-firewall, it's reduced to just: Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere PHYSDEV match --physdev-is-bridged 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited And, of course, networking is now broken in the virtual machines. It also permanently removes the rules from /etc/sysconfig/iptables Version-Release number of selected component (if applicable): system-config-firewall-1.2.21-1.fc12.noarch How reproducible: every time Steps to Reproduce: 1. remove /etc/sysconfig/iptables to start from scratch 2. reboot 3. iptables -L (note FORWARD rules) 4. system-config-firewall (enable WWW or something) 5. iptables -L (note FORWARD rules) Actual results: the FORWARD rules created by libvirt are gone Expected results: the FORWARD rules are preserved Additional info:
This might be a duplicate of bug 539744
This is a bug in libvirt. libvirt was adding custom rules files to the firewall configuration to have the same setup if the firewall has been restarted. At the moment the files are not integrated into the firewall anymore and additionally they are empty. Reassigning to libvirt.
libvirt has no sane was of integrating with iptables We previously tried using lokkit, but if the user had configured iptables manually (i.e. without lokkit) we'd end up clobbering their rules We simply need a way to say to iptables "we've added these rules, please load them when you restart" without overwriting the current configuration. We also need lokkit/system-config-firewall to not overwrite these rules when the user modifies the configuration The whole sorry saga is well documented in bug #227011 *** This bug has been marked as a duplicate of bug 227011 ***
In the meantime, workaround is to issue service libvirtd reload after running s-c-firewall to re-insert iptable rules.