Bug 810464 - ip_forward is not persistent
ip_forward is not persistent
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt (Show other bugs)
7.0
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Laine Stump
Virtualization Bugs
:
Depends On: 807590
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-06 05:24 EDT by Matěj Cepl
Modified: 2016-04-26 10:18 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 807590
Environment:
Last Closed: 2014-07-29 11:42:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 2 Matěj Cepl 2012-04-06 10:37:54 EDT
16:32:42) laine: Oh, wait - ip_forward is 0.
(16:32:59) laine: How did that happen? libvirtd sets it to 1 every time it's run.
(16:33:26) laine: Try doing "sysctl -w net.ipv4.ip_forward=1", then retry the ping.
(16:33:54) laine: Then set it on permanently in /etc/sysctl.conf
(16:34:13) mcepl: yes
(16:34:17) mcepl: works perfect! 
(16:34:18) mcepl: thanks
(16:34:32) mcepl: OK, I will make a comment to the bug
(16:34:37) laine: sure. It bothers me that something is turning it back off.
Comment 3 Laine Stump 2012-04-06 14:30:29 EDT
This discussion has taken place before:

https://bugzilla.redhat.com/show_bug.cgi?id=612867

Basically, whenever libvirtd starts a network, it sets ip_forward to 1 in the kernel. Unlike with iptables rules, this setting is *not* reloaded if libvirtd is restarted. Other programs/services (e.g. NetworkManager) may call "sysctl -p" at some later time, potentially overwriting libvirtd's ip_forward=1 with ip_forward=0.

See https://bugzilla.redhat.com/612867#c6 for a couple of suggestions that were rejected in discussion (in favor of inaction).

I've just added a page to the upstream libvirt Troubleshooting wiki that details this problem:

http://wiki.libvirt.org/page/Guest_can_reach_host%2C_but_can%27t_reach_outside_network
Comment 5 Bill Nottingham 2012-04-10 17:02:17 EDT
libvirt could write something to /run/sysctl.d for the device with ip_forward=1.

This *should* handle all sysctl reloads until the next reboot.
Comment 7 Laine Stump 2014-07-29 11:42:21 EDT
This appears to be a non-issue in RHEL7. Default sysctl settings have been moved to /usr/lib/sysctl.d, they do not contain an "ip_forward = 0" setting, and anyway even if such a setting is added there, it isn't honored when "sysctl -p" is run. Additionally, restarting NetworkManager also doesn't set ip_forward back to 0.

If someone were to manually add ip_forward=0 to /etc/sysctl.conf (which is deprecated, as far as I understand), running "sysctl -p" or restarting NetworkManager would set it back to 0. However, that would require the user making that modification, since /etc/sysctl.conf is now delivered as an empty file (except for some comments).

Note You need to log in before you can comment on or make changes to this bug.