[libvirt] [PATCH 1/3] Only check for IP forwarding, do not enable it

Wed Oct 17 14:07:42 UTC 2012

Hi everyone,

Le lundi 15 octobre 2012 à 09:36 -0700, Cole Robinson a écrit :
> On 10/15/2012 12:04 PM, Cole Robinson wrote:
> > On 10/15/2012 10:54 AM, Michal Privoznik wrote:
> >> On 15.10.2012 12:26, Benjamin Cama wrote:
> >>>  
> >>>  static int
> >>>  networkSetIPv6Sysctls(virNetworkObjPtr network)
> >>> @@ -2140,11 +2172,9 @@ networkStartNetworkVirtual(struct network_driver 
> >>> *driver,
> >>>      if (virNetDevSetOnline(network->def->bridge, 1) < 0)
> >>>          goto err2;
> >>>  
> >>> -    /* If forwardType != NONE, turn on global IP forwarding */
> >>> +    /* If forwardType != NONE, check for IP forwarding */
> >>>      if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE &&
> >>> -        networkEnableIpForwarding(v4present, v6present) < 0) {
> >>> -        virReportSystemError(errno, "%s",
> >>> -                             _("failed to enable IP forwarding"));
> >>> +        networkCheckIpForwarding(v4present, v6present) < 0) {
> >>>          goto err3;
> >>>      }
> >>>  
> >>>
> >> Well, I am not sure if we can do this. What would happen if some of our
> >> users rely on this already? I mean, it's there since ages.
> >>
> >> Michal
> > Indeed this kinda defeats the purpose of the default virtual network that
> > should 'just work' out of the box. Maybe we could add some libvirtd.conf
> > option to enable this check-if-set behavior, but we can't change the default 
> > here.
> 
> We've had this discussion before:
> 
> 
>   http://www.redhat.com/archives/libvir-list/2010-October/msg00030.html
> 
> and in particular this response:
> 
>   http://www.redhat.com/archives/libvir-list/2010-October/msg00183.html

Thanks for the links.

> In the end, the presence of a network with a forward mode that requires
> L3 packet forwarding indicates tacit approval for ip_forward to be
> turned on. The problem in the past has been that the default network
> (which has <forward mode='nat'>) was a part of *all* libvirt installs.
> That is now separated into its own sub-package, though.
> 
> So, the "config option" is to simply not install the default network (or
> to remove it if it's there).

I understand that changing the behavior of a function that has been
“just working” for years sounds unacceptable. It's just that for IPv6,
enabling forwarding has far more consequences than for IPv4. But I
understand that my use case may be rare enough not to change the default
behavior. Still, I would like to implement some big warning when
changing the forwarding state. I will work on that.

Regards,
-- 
Benjamin Cama <benjamin.cama at telecom-bretagne.eu>