Bug 810464 - ip_forward is not persistent
Summary: ip_forward is not persistent
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.0
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Laine Stump
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On: 807590
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-06 09:24 UTC by Matěj Cepl
Modified: 2016-04-26 14:18 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 807590
Environment:
Last Closed: 2014-07-29 15:42:21 UTC
Target Upstream Version:


Attachments (Terms of Use)

Comment 2 Matěj Cepl 2012-04-06 14:37:54 UTC
16:32:42) laine: Oh, wait - ip_forward is 0.
(16:32:59) laine: How did that happen? libvirtd sets it to 1 every time it's run.
(16:33:26) laine: Try doing "sysctl -w net.ipv4.ip_forward=1", then retry the ping.
(16:33:54) laine: Then set it on permanently in /etc/sysctl.conf
(16:34:13) mcepl: yes
(16:34:17) mcepl: works perfect! 
(16:34:18) mcepl: thanks
(16:34:32) mcepl: OK, I will make a comment to the bug
(16:34:37) laine: sure. It bothers me that something is turning it back off.

Comment 3 Laine Stump 2012-04-06 18:30:29 UTC
This discussion has taken place before:

https://bugzilla.redhat.com/show_bug.cgi?id=612867

Basically, whenever libvirtd starts a network, it sets ip_forward to 1 in the kernel. Unlike with iptables rules, this setting is *not* reloaded if libvirtd is restarted. Other programs/services (e.g. NetworkManager) may call "sysctl -p" at some later time, potentially overwriting libvirtd's ip_forward=1 with ip_forward=0.

See https://bugzilla.redhat.com/612867#c6 for a couple of suggestions that were rejected in discussion (in favor of inaction).

I've just added a page to the upstream libvirt Troubleshooting wiki that details this problem:

http://wiki.libvirt.org/page/Guest_can_reach_host%2C_but_can%27t_reach_outside_network

Comment 5 Bill Nottingham 2012-04-10 21:02:17 UTC
libvirt could write something to /run/sysctl.d for the device with ip_forward=1.

This *should* handle all sysctl reloads until the next reboot.

Comment 7 Laine Stump 2014-07-29 15:42:21 UTC
This appears to be a non-issue in RHEL7. Default sysctl settings have been moved to /usr/lib/sysctl.d, they do not contain an "ip_forward = 0" setting, and anyway even if such a setting is added there, it isn't honored when "sysctl -p" is run. Additionally, restarting NetworkManager also doesn't set ip_forward back to 0.

If someone were to manually add ip_forward=0 to /etc/sysctl.conf (which is deprecated, as far as I understand), running "sysctl -p" or restarting NetworkManager would set it back to 0. However, that would require the user making that modification, since /etc/sysctl.conf is now delivered as an empty file (except for some comments).


Note You need to log in before you can comment on or make changes to this bug.