fix：修复持久化

spiritLHLS · spiritLHLS · commit 9fe4bdedef10 · 2026-04-13T22:59:04.000+08:00
diff --git a/README.md b/README.md
@@ -152,5 +152,9 @@ virtctl restart <vmname> -n kubevirt-vms
 
 1. 虚拟机首次启动需要等待镜像下载导入（根据网速可能需要 5-20 分钟）
 2. 宿主机需要开启 KVM 嵌套虚拟化或直接使用裸金属服务器
-3. 端口转发通过 iptables 实现，重启后自动通过 systemd 服务恢复
+3. 端口转发通过 iptables/nftables 实现（支持IPv4 + IPv6双栈）：
+   - 使用 systemd 服务在重启后自动恢复规则
+   - Debian/Ubuntu 系统自动安装 `iptables-persistent` 和 `netfilter-persistent`
+   - Red Hat/CentOS 系统自动安装 `iptables-services`
+   - 规则变更后自动持久化，确保重启后不失效
 4. 如需重置密码，通过 `virtctl console` 进入控制台手动修改
diff --git a/kubevirtinstall.sh b/kubevirtinstall.sh
@@ -387,8 +387,26 @@ setup_firewall_service() {
     # iptables 后端：安装 iptables-persistent 作为额外持久化
     if [ "$FW_BACKEND" = "iptables" ]; then
         if command -v apt-get >/dev/null 2>&1; then
-            _info "安装 iptables-persistent 用于规则持久化..."
-            DEBIAN_FRONTEND=noninteractive apt-get install -y -qq iptables-persistent 2>/dev/null || true
+            _info "安装 iptables-persistent 用于规则持久化（IPv4 + IPv6）..."
+            # 预配置避免安装时的交互提示
+            echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
+            echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
+            DEBIAN_FRONTEND=noninteractive apt-get install -y -qq iptables-persistent netfilter-persistent 2>/dev/null || true
+            # 启用并启动服务
+            systemctl enable netfilter-persistent 2>/dev/null || true
+            systemctl start netfilter-persistent 2>/dev/null || true
+            # 立即保存当前规则（IPv4 + IPv6）
+            netfilter-persistent save 2>/dev/null || true
+        elif command -v yum >/dev/null 2>&1; then
+            _info "安装 iptables-services 用于规则持久化（IPv4 + IPv6）..."
+            yum install -y -q iptables-services 2>/dev/null || true
+            # 立即保存当前规则
+            mkdir -p /etc/sysconfig
+            iptables-save > /etc/sysconfig/iptables 2>/dev/null || true
+            ip6tables-save > /etc/sysconfig/ip6tables 2>/dev/null || true
+            # 启用并启动服务
+            systemctl enable iptables ip6tables 2>/dev/null || true
+            systemctl start iptables ip6tables 2>/dev/null || true
         fi
     fi
 
diff --git a/kubevirtuninstall.sh b/kubevirtuninstall.sh
@@ -167,13 +167,15 @@ cleanup_firewall() {
     _step "清理端口转发规则..."
 
     if [ -f "$FIREWALL_LIB" ]; then
+        # 使用防火墙库清理（推荐，会自动持久化）
         fw_cleanup_all
     else
         # 回退：手动清理
         if command -v nft >/dev/null 2>&1; then
             nft delete table inet kubevirt 2>/dev/null || true
         fi
         if command -v iptables >/dev/null 2>&1; then
+            # 清理IPv4规则
             local chain
             for chain in PREROUTING OUTPUT POSTROUTING; do
                 local i=0
@@ -186,12 +188,36 @@ cleanup_firewall() {
                     i=$((i + 1))
                 done
             done
+            # 清理IPv6规则
+            if command -v ip6tables >/dev/null 2>&1; then
+                for chain in PREROUTING OUTPUT POSTROUTING; do
+                    local i=0
+                    while [ "$i" -lt 500 ]; do
+                        local rule_num
+                        rule_num=$(ip6tables -t nat -L "$chain" --line-numbers -n 2>/dev/null | \
+                            grep "KUBEVIRT-VM-" | head -1 | awk '{print $1}')
+                        [ -z "$rule_num" ] && break
+                        ip6tables -t nat -D "$chain" "$rule_num" 2>/dev/null || break
+                        i=$((i + 1))
+                    done
+                done
+            fi
+            # 持久化清理后的规则
+            if command -v netfilter-persistent >/dev/null 2>&1; then
+                netfilter-persistent save 2>/dev/null || true
+            elif [ -x /etc/init.d/iptables-persistent ]; then
+                /etc/init.d/iptables-persistent save 2>/dev/null || true
+            elif command -v iptables-save >/dev/null 2>&1; then
+                mkdir -p /etc/sysconfig
+                iptables-save > /etc/sysconfig/iptables 2>/dev/null || true
+                ip6tables-save > /etc/sysconfig/ip6tables 2>/dev/null || true
+            fi
         fi
     fi
     rm -f /etc/kubevirt/port-rules.conf
     rm -f /etc/kubevirt/iptables-rules
 
-    _info "防火墙规则清理完成"
+    _info "防火墙规则清理完成（已持久化）"
 }
 
 # ===== 停用并删除 systemd 服务 =====
@@ -293,10 +319,11 @@ print_summary() {
     echo "  ✓ CDI 组件"
     echo "  ✓ K3s Kubernetes 集群"
     echo "  ✓ virtctl 工具"
-    echo "  ✓ 端口转发规则（nftables/iptables）"
+    echo "  ✓ 端口转发规则（nftables/iptables，含持久化规则）"
     echo "  ✓ 相关配置文件"
     echo ""
     _warn "vmlog 文件未删除，如需清理请手动运行：rm -f vmlog"
+    _warn "iptables-persistent/netfilter-persistent 服务未卸载（可能有其他用途）"
     echo "======================================================"
 }
 
diff --git a/scripts/firewall.sh b/scripts/firewall.sh
@@ -146,10 +146,21 @@ _ipt_rebuild() {
 
 # ===== iptables: 通过 netfilter-persistent 保存规则 =====
 _ipt_save_persistent() {
+    # 方法1: netfilter-persistent (Debian/Ubuntu 推荐)
     if command -v netfilter-persistent >/dev/null 2>&1; then
         netfilter-persistent save 2>/dev/null || true
+    # 方法2: iptables-persistent 传统方式
     elif [ -x /etc/init.d/iptables-persistent ]; then
         /etc/init.d/iptables-persistent save 2>/dev/null || true
+    # 方法3: Red Hat/CentOS 方式
+    elif command -v iptables-save >/dev/null 2>&1; then
+        # 保存 IPv4 规则
+        mkdir -p /etc/sysconfig
+        iptables-save > /etc/sysconfig/iptables 2>/dev/null || true
+        # 保存 IPv6 规则（如果 ip6tables 可用）
+        if command -v ip6tables-save >/dev/null 2>&1; then
+            ip6tables-save > /etc/sysconfig/ip6tables 2>/dev/null || true
+        fi
     fi
 }
 
@@ -217,14 +228,39 @@ fw_clear_rules() {
 }
 
 # ===== 清除所有 KubeVirt 规则并清空状态文件 =====
+# 用于完全卸载时，删除所有KUBEVIRT相关的防火墙规则
+# 并持久化清理结果，确保重启后规则不会恢复
 fw_cleanup_all() {
     detect_fw_backend || return 0
 
     case "$FW_BACKEND" in
-        nftables) nft delete table inet kubevirt 2>/dev/null || true ;;
-        iptables) _ipt_flush ; _ipt_save_persistent ;;
+        nftables) 
+            nft delete table inet kubevirt 2>/dev/null || true 
+            ;;
+        iptables) 
+            # 清除IPv4规则
+            _ipt_flush
+            # 同时清除IPv6规则（如果存在）
+            if command -v ip6tables >/dev/null 2>&1; then
+                local chain
+                for chain in PREROUTING OUTPUT POSTROUTING; do
+                    local i=0
+                    while [ "$i" -lt 500 ]; do
+                        local rule_num
+                        rule_num=$(ip6tables -t nat -L "$chain" --line-numbers -n 2>/dev/null | \
+                            grep "KUBEVIRT-VM-" | head -1 | awk '{print $1}')
+                        [ -z "$rule_num" ] && break
+                        ip6tables -t nat -D "$chain" "$rule_num" 2>/dev/null || break
+                        i=$((i + 1))
+                    done
+                done
+            fi
+            # 持久化清理后的规则（IPv4 + IPv6）
+            _ipt_save_persistent
+            ;;
     esac
 
+    # 清空状态文件
     [ -f "$KUBEVIRT_PORT_RULES" ] && : > "$KUBEVIRT_PORT_RULES"
 }
 
