Running libvirtd on openSUSE, you might eventually run into the situation that your KVM guests sooner or later lose network connectivity to the outside world, if some interface on the KVM host goes up or down or SuSEfirewall is run for some other reason, eg. manual restart. libvirt uses iptables rules and the IP forwarding facilities of the kernel to get the VMs’ outbound traffic taken care of. However, SuSEfirewall clears all tables before it adds its own rules. And, unlike Fedora there is no interface for applications to notify SuSEfirewall of custom rules to be put into effect.
However, as indicated at the very end of the libvirt site’s Firewall page, sending HUP to libvirtd will restore the iptables rules. This is not necessarily sufficient, however, because SuSEfirewall also disables IP forwarding unless you have explicitly enabled it (FW_ROUTE), which certainly is not the case if the machine in question is a Laptop as in my situation. So you have to take care of /proc/sys/net/ipv4/ip_forward, too.
As no one wants to do this manually each and every time and you can’t predict when SuSEconfig will be run, let’s just use its hooks to automate. In /etc/sysconfig/firewall, edit:
FW_CUSTOMRULES="/usr/local/sbin/reinstall-libvirt-rules.sh"
Next, create /usr/local/sbin/reinstall-libvirt-rules.sh as follows:
#!/bin/bash
fw_custom_after_finished() {
rclibvirtd status && {
logger Reactivating libvirt firewall rules
killall -HUP libvirtd
echo 1 >/proc/sys/net/ipv4/ip_forward
}
}
This will check if libvirtd is actually running (in case you start it manually and only when needed). If so, it will send it SIGHUP as outlined above and unconditionally enable IP forwarding. My assumption here is that you will have at least one virtual network that is NATed to the outside world.