Automatically add iptables rules when necessary for mbpr0

[nielsreijers]

What are you trying to do?
I started a multipass VM on Fedora 39. The VM started correctly, but didn't have IPv4 internet access. IPv6 did work. The result was that apt worked (over IPv6), but snap didn't because api.snapcraft.io doesn't have an IPv6 address.

After some searching this turned out to be caused by the default iptables DROP policy for the FORWARD chain. Apparently many other distributions use default ACCEPT, but it's DROP on Fedora, so the solution to the issue was to add ACCEPT rules for the mpbr0 interface, after which everything worked as expected:

iptables -A FORWARD -i mpbr0 -j ACCEPT
iptables -A FORWARD -o mpbr0 -j ACCEPT

What's your proposed solution?
Since mbpr0 was created by multipass at some point, I think multipass should check at that point if these rules should be added, and either

• add them automatically,
• or print a big warning to inform the user he needs to add these rules if he wants the VM to have internet access.

I'm just getting started with multipass, so I can't really judge what the best place in the code is to make this change. I'm just using the default settings to quickly spin up an Ubuntu instance, but I'm aware there are some settings to connect different interfaces and there are probably scenarios where multiple mpbrX interfaces are used, so those would have to be considered as well.

Additional context
For some reason Fedora has ACCEPT for all chains in ip6tables, and only DROPs the FORWARD chain in iptables, which is why IPv6 worked.
This may make sense to people more familiar with iptables. Personally I'm not familiar enough with it to explain that difference, but if multipass would add these rules for IPv4 (when necessary), it may be a good idea to future proof it and do the same for IPv6 at the same time.

[luis4a0]

Hi @nielsreijers! Indeed, this needs to be addressed. We should fix this. In the meantime, we will document how to do this. Thanks!