Re: [libvirt] [PATCH 1/3] Only check for IP forwarding, do not enable it

On 10/15/2012 12:04 PM, Cole Robinson wrote: > On 10/15/2012 10:54 AM, Michal Privoznik wrote: >> On 15.10.2012 12:26, Benjamin Cama wrote: >>> >>> static int >>> networkSetIPv6Sysctls(virNetworkObjPtr network) >>> @@ -2140,11 +2172,9 @@ networkStartNetworkVirtual(struct network_driver >>> *driver, >>> if (virNetDevSetOnline(network->def->bridge, 1) < 0) >>> goto err2; >>> >>> - /* If forwardType != NONE, turn on global IP forwarding */ >>> + /* If forwardType != NONE, check for IP forwarding */ >>> if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE && >>> - networkEnableIpForwarding(v4present, v6present) < 0) { >>> - virReportSystemError(errno, "%s", >>> - _("failed to enable IP forwarding")); >>> + networkCheckIpForwarding(v4present, v6present) < 0) { >>> goto err3; >>> } >>> >>> >> Well, I am not sure if we can do this. What would happen if some of our >> users rely on this already? I mean, it's there since ages. >> >> Michal > Indeed this kinda defeats the purpose of the default virtual network that > should 'just work' out of the box. Maybe we could add some libvirtd.conf > option to enable this check-if-set behavior, but we can't change the default > here. We've had this discussion before: http://www.redhat.com/archives/libvir-list/2010-October/msg00030.html and in particular this response: http://www.redhat.com/archives/libvir-list/2010-October/msg00183.html

In the end, the presence of a network with a forward mode that requires L3 packet forwarding indicates tacit approval for ip_forward to be turned on. The problem in the past has been that the default network (which has <forward mode='nat'>) was a part of *all* libvirt installs. That is now separated into its own sub-package, though. So, the "config option" is to simply not install the default network (or to remove it if it's there).