[libvirt PATCH 2/2] nwfilter: Use immediate paket delivery mode rather than buffering

Eric Blake eblake at redhat.com
Thu Jan 30 15:15:27 UTC 2020

On 1/30/20 8:43 AM, Erik Skultety wrote:
> Our nwfilter code doesn't set any timeout on the pcap paket buffer which


> means that when DHCP snooping is enabled on a guest interface and
> libvirt is trying to learn the IP address from guest's DHCP traffic, it
> takes up to 4x longer to ping a guest successfully compared to a case
> where nwfilter isn't enabled at all or libvirt uses the cached nwfilter
> leases to populate the corresponding rules to ebtables.
> With the pcap filter and rate limiting already in place, we should be
> able to afford enabling the immediate paket delivery, FWIW immediate


> mode was actually the default prior libpcap-1.5.0 (CentOS 6) regardless
> of whether a buffer was requested.
> The lack of any kind of timeout on the pcap buffer messed with the
> libvirt TCK test suite which, even with a generous timeout in place,
> timeouts every single time simply because it takes a while until
> guest actually starts producing any kind of traffic to fill up
> the buffer in place (appart from the DHCP traffic which happens fairly


> early on).
> Signed-off-by: Erik Skultety <eskultet at redhat.com>
> ---

Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

More information about the libvir-list mailing list