810464 – ip_forward is not persistent

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 810464 - ip_forward is not persistent

Summary: ip_forward is not persistent

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Laine Stump
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	807590
Blocks:
TreeView+	depends on / blocked

Reported:	2012-04-06 09:24 UTC by Matěj Cepl
Modified:	2016-04-26 14:18 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	807590
Environment:
Last Closed:	2014-07-29 15:42:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 2 Matěj Cepl 2012-04-06 14:37:54 UTC

16:32:42) laine: Oh, wait - ip_forward is 0.
(16:32:59) laine: How did that happen? libvirtd sets it to 1 every time it's run.
(16:33:26) laine: Try doing "sysctl -w net.ipv4.ip_forward=1", then retry the ping.
(16:33:54) laine: Then set it on permanently in /etc/sysctl.conf
(16:34:13) mcepl: yes
(16:34:17) mcepl: works perfect! 
(16:34:18) mcepl: thanks
(16:34:32) mcepl: OK, I will make a comment to the bug
(16:34:37) laine: sure. It bothers me that something is turning it back off.

Comment 3 Laine Stump 2012-04-06 18:30:29 UTC

This discussion has taken place before:

https://bugzilla.redhat.com/show_bug.cgi?id=612867

Basically, whenever libvirtd starts a network, it sets ip_forward to 1 in the kernel. Unlike with iptables rules, this setting is *not* reloaded if libvirtd is restarted. Other programs/services (e.g. NetworkManager) may call "sysctl -p" at some later time, potentially overwriting libvirtd's ip_forward=1 with ip_forward=0.

See https://bugzilla.redhat.com/612867#c6 for a couple of suggestions that were rejected in discussion (in favor of inaction).

I've just added a page to the upstream libvirt Troubleshooting wiki that details this problem:

http://wiki.libvirt.org/page/Guest_can_reach_host%2C_but_can%27t_reach_outside_network

Comment 5 Bill Nottingham 2012-04-10 21:02:17 UTC

libvirt could write something to /run/sysctl.d for the device with ip_forward=1.

This *should* handle all sysctl reloads until the next reboot.

Comment 7 Laine Stump 2014-07-29 15:42:21 UTC

This appears to be a non-issue in RHEL7. Default sysctl settings have been moved to /usr/lib/sysctl.d, they do not contain an "ip_forward = 0" setting, and anyway even if such a setting is added there, it isn't honored when "sysctl -p" is run. Additionally, restarting NetworkManager also doesn't set ip_forward back to 0.

If someone were to manually add ip_forward=0 to /etc/sysctl.conf (which is deprecated, as far as I understand), running "sysctl -p" or restarting NetworkManager would set it back to 0. However, that would require the user making that modification, since /etc/sysctl.conf is now delivered as an empty file (except for some comments).

Note You need to log in before you can comment on or make changes to this bug.