[libvirt-users] RX dropped packets on guests subnets
pichon
patrick at pichon.me
Sat Jan 23 09:58:39 UTC 2016
Hello,
I have first a question (and then may be a problem), that I have difficulties to understand and eventually to investigate.
On each of my guests VM, I see constantly a RX dropped number increasing , Even if the VM does nothing !
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.15 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::5054:ff:fe36:ac80 prefixlen 64 scopeid 0x20<link>
ether 52:54:00:36:ac:80 txqueuelen 1000 (Ethernet)
RX packets 1966 bytes 122391 (119.5 KiB)
RX errors 0 dropped 1288 overruns 0 frame 0
TX packets 552 bytes 99939 (97.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 4 bytes 340 (340.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 340 (340.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(1) Is that a normal behaviour ?
(2) Could you give me some hints where/how to investigate
Here are a number of informations:
- The virsh LAN setup
- The VM XML description
- iptables-save on the hosts
- and then some packages version
Thanks in advance
Patrick
My setup is as follow:
An host running a Fedora 23 (minimal) and a VM guest running a Fedora 23
I have created 3 Networks ,
- 2 fully isolated ( mgt-private-lan and pre-private-lan)
- 1 Nat via the host NIC
Here after are the information related to the nat Network on which I have consistent increase of RX Dropped Packets
virsh net-list
Name State Autostart Persistent
----------------------------------------------------------
mgt-private-lan active yes yes
nat-internet active yes yes
prd-private-lan active yes yes
virsh net-info nat-internet
Name: nat-internet
UUID: 4cff86b1-8e63-40be-ac9c-d3dcd405a9d3
Active: yes
Persistent: yes
Autostart: yes
Bridge: virbr1
virsh net-dumpxml nat-internet
<network connections='5'>
<name>nat-internet</name>
<uuid>4cff86b1-8e63-40be-ac9c-d3dcd405a9d3</uuid>
<forward dev='eth0' mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
<interface dev='eth0'/>
</forward>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:e4:ec:1b'/>
<domain name='nat-internet'/>
<ip address='192.168.100.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.100.128' end='192.168.100.254'/>
</dhcp>
</ip>
</network>
here is the XML of the VM
[root at ks3 boot]# virsh dumpxml Network
<domain type='kvm' id='5'>
<name>Network</name>
<uuid>006ec4e9-028c-4fef-94ec-4e9efbab61ff</uuid>
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<vcpu placement='static'>1</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch='x86_64' machine='pc-i440fx-2.4'>hvm</type>
<kernel>/var/lib/libvirt/boot/vmlinuz</kernel>
<initrd>/var/lib/libvirt/boot/initramfs.img</initrd>
<cmdline>root=/dev/vda selinux=0 audit=0 console=ttyS0 nosplash quiet</cmdline>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
</features>
<cpu mode='custom' match='exact'>
<model fallback='allow'>SandyBridge</model>
</cpu>
<clock offset='utc'>
<timer name='rtc' tickpolicy='catchup'/>
<timer name='pit' tickpolicy='delay'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-to-disk enabled='no'/>
</pm>
<devices>
<emulator>/usr/bin/qemu-kvm</emulator>
<disk type='block' device='disk'>
<driver name='qemu' type='raw' cache='none' io='native'/>
<source dev='/dev/vault-storage/network-root'/>
<backingStore/>
<target dev='vda' bus='virtio'/>
<alias name='virtio-disk0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
</disk>
<disk type='block' device='disk'>
<driver name='qemu' type='raw' cache='none' io='native'/>
<source dev='/dev/vault-storage/network-bootswap'/>
<backingStore/>
<target dev='vdb' bus='virtio'/>
<alias name='virtio-disk1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
</disk>
<controller type='usb' index='0' model='ich9-ehci1'>
<alias name='usb'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x7'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci1'>
<alias name='usb'/>
<master startport='0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0' multifunction='on'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci2'>
<alias name='usb'/>
<master startport='2'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x1'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci3'>
<alias name='usb'/>
<master startport='4'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pci-root'>
<alias name='pci.0'/>
</controller>
<controller type='virtio-serial' index='0'>
<alias name='virtio-serial0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</controller>
<interface type='network'>
<mac address='52:54:00:36:ac:80'/>
<source network='nat-internet' bridge='virbr1'/>
<target dev='vnet12'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<serial type='pty'>
<source path='/dev/pts/5'/>
<target port='0'/>
<alias name='serial0'/>
</serial>
<console type='pty' tty='/dev/pts/5'>
<source path='/dev/pts/5'/>
<target type='serial' port='0'/>
<alias name='serial0'/>
</console>
<channel type='unix'>
<source mode='bind' path='/var/lib/libvirt/qemu/channel/target/Network.org.qemu.guest_agent.0'/>
<target type='virtio' name='org.qemu.guest_agent.0' state='connected'/>
<alias name='channel0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<graphics type='spice' port='5904' autoport='yes' listen='127.0.0.1'>
<listen type='address' address='127.0.0.1'/>
</graphics>
<video>
<model type='cirrus' vram='16384' heads='1'/>
<alias name='video0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>
<memballoon model='virtio'>
<alias name='balloon0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/>
</memballoon>
</devices>
</domain>
iptables-save
# Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016
*nat
:PREROUTING ACCEPT [14895:623423]
:INPUT ACCEPT [12645:432591]
:OUTPUT ACCEPT [123:8518]
:POSTROUTING ACCEPT [595:37490]
-A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 6514 -j DNAT --to-destination 192.168.100.10:6514
-A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.12:80
-A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.100.12:443
-A POSTROUTING -s 192.168.100.0/24 -d 224.0.0.0/24 -o eth0 -j RETURN
-A POSTROUTING -s 192.168.100.0/24 -d 255.255.255.255/32 -o eth0 -j RETURN
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Jan 23 10:49:51 2016
# Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016
*mangle
:PREROUTING ACCEPT [1212763:799851388]
:INPUT ACCEPT [169753:18403044]
:FORWARD ACCEPT [1043010:781448344]
:OUTPUT ACCEPT [123913:208199933]
:POSTROUTING ACCEPT [1166923:989648277]
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr3 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr2 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sat Jan 23 10:49:51 2016
# Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [120960:207745702]
-A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr3 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr3 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr3 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr3 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m string --string "GET /w00tw00t.at.ISC .SANS." --algo bm --to 70 -j DROP
-A INPUT -m set --match-set banned src -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.100.12/32 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A FORWARD -d 192.168.100.12/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.100.10/32 -p tcp -m state --state NEW -m tcp --dport 6514 -j ACCEPT
-A FORWARD -d 192.168.100.0/24 -i eth0 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.100.0/24 -i virbr1 -o eth0 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr3 -o virbr3 -j ACCEPT
-A FORWARD -o virbr3 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr3 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr2 -o virbr2 -j ACCEPT
-A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m set --match-set banned src -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o virbr3 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Sat Jan 23 10:49:51 2016
rpm -qa | grep libvirt
libvirt-daemon-driver-nodedev-1.2.18.2-1.fc23.x86_64
libvirt-daemon-driver-storage-1.2.18.2-1.fc23.x86_64
libvirt-daemon-config-network-1.2.18.2-1.fc23.x86_64
libvirt-daemon-1.2.18.2-1.fc23.x86_64
libvirt-daemon-driver-secret-1.2.18.2-1.fc23.x86_64
libvirt-daemon-driver-network-1.2.18.2-1.fc23.x86_64
libvirt-daemon-driver-nwfilter-1.2.18.2-1.fc23.x86_64
libvirt-daemon-driver-qemu-1.2.18.2-1.fc23.x86_64
libvirt-daemon-kvm-1.2.18.2-1.fc23.x86_64
libvirt-client-1.2.18.2-1.fc23.x86_64
libvirt-daemon-driver-interface-1.2.18.2-1.fc23.x86_64
rpm -qa | grep qemu
qemu-common-2.4.1-5.fc23.x86_64
qemu-kvm-2.4.1-5.fc23.x86_64
qemu-img-2.4.1-5.fc23.x86_64
ipxe-roms-qemu-20150407-3.gitdc795b9f.fc23.noarch
libvirt-daemon-driver-qemu-1.2.18.2-1.fc23.x86_64
qemu-system-x86-2.4.1-5.fc23.x86_64
rpm -qa | grep kvm
qemu-kvm-2.4.1-5.fc23.x86_64
libvirt-daemon-kvm-1.2.18.2-1.fc23.x86_64
More information about the libvirt-users
mailing list