Red Hat Bugzilla – Bug 810464
ip_forward is not persistent
Last modified: 2016-04-26 10:18:29 EDT
16:32:42) laine: Oh, wait - ip_forward is 0.
(16:32:59) laine: How did that happen? libvirtd sets it to 1 every time it's run.
(16:33:26) laine: Try doing "sysctl -w net.ipv4.ip_forward=1", then retry the ping.
(16:33:54) laine: Then set it on permanently in /etc/sysctl.conf
(16:34:13) mcepl: yes
(16:34:17) mcepl: works perfect!
(16:34:18) mcepl: thanks
(16:34:32) mcepl: OK, I will make a comment to the bug
(16:34:37) laine: sure. It bothers me that something is turning it back off.
This discussion has taken place before:
Basically, whenever libvirtd starts a network, it sets ip_forward to 1 in the kernel. Unlike with iptables rules, this setting is *not* reloaded if libvirtd is restarted. Other programs/services (e.g. NetworkManager) may call "sysctl -p" at some later time, potentially overwriting libvirtd's ip_forward=1 with ip_forward=0.
See https://bugzilla.redhat.com/612867#c6 for a couple of suggestions that were rejected in discussion (in favor of inaction).
I've just added a page to the upstream libvirt Troubleshooting wiki that details this problem:
libvirt could write something to /run/sysctl.d for the device with ip_forward=1.
This *should* handle all sysctl reloads until the next reboot.
This appears to be a non-issue in RHEL7. Default sysctl settings have been moved to /usr/lib/sysctl.d, they do not contain an "ip_forward = 0" setting, and anyway even if such a setting is added there, it isn't honored when "sysctl -p" is run. Additionally, restarting NetworkManager also doesn't set ip_forward back to 0.
If someone were to manually add ip_forward=0 to /etc/sysctl.conf (which is deprecated, as far as I understand), running "sysctl -p" or restarting NetworkManager would set it back to 0. However, that would require the user making that modification, since /etc/sysctl.conf is now delivered as an empty file (except for some comments).