[libvirt-users] RX dropped packets on guests subnets
pichon
patrick at pichon.me
Sat Jan 23 10:10:42 UTC 2016
Last, if in the VM I add “driver name = ‘emu’, after boot I have few dropped packets, but then it doesn’t increase anymore !
>
> <interface type='network'>
> <mac address='52:54:00:36:ac:80'/>
> <source network='nat-internet' bridge='virbr1'/>
> <target dev='vnet12'/>
> <model type='virtio’/>
<driver name=‘emu’/>
> <alias name='net0'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
> </interface>
> On 23 Jan 2016, at 10:58, pichon <patrick at pichon.me> wrote:
>
> Hello,
>
> I have first a question (and then may be a problem), that I have difficulties to understand and eventually to investigate.
>
> On each of my guests VM, I see constantly a RX dropped number increasing , Even if the VM does nothing !
>
> ifconfig
> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.100.15 netmask 255.255.255.0 broadcast 192.168.100.255
> inet6 fe80::5054:ff:fe36:ac80 prefixlen 64 scopeid 0x20<link>
> ether 52:54:00:36:ac:80 txqueuelen 1000 (Ethernet)
> RX packets 1966 bytes 122391 (119.5 KiB)
> RX errors 0 dropped 1288 overruns 0 frame 0
> TX packets 552 bytes 99939 (97.5 KiB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
> inet 127.0.0.1 netmask 255.0.0.0
> inet6 ::1 prefixlen 128 scopeid 0x10<host>
> loop txqueuelen 0 (Local Loopback)
> RX packets 4 bytes 340 (340.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 4 bytes 340 (340.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
>
>
> (1) Is that a normal behaviour ?
> (2) Could you give me some hints where/how to investigate
>
>
> Here are a number of informations:
>
> - The virsh LAN setup
> - The VM XML description
> - iptables-save on the hosts
> - and then some packages version
>
> Thanks in advance
> Patrick
>
>
>
> My setup is as follow:
>
> An host running a Fedora 23 (minimal) and a VM guest running a Fedora 23
>
> I have created 3 Networks ,
> - 2 fully isolated ( mgt-private-lan and pre-private-lan)
> - 1 Nat via the host NIC
>
> Here after are the information related to the nat Network on which I have consistent increase of RX Dropped Packets
>
> virsh net-list
> Name State Autostart Persistent
> ----------------------------------------------------------
> mgt-private-lan active yes yes
> nat-internet active yes yes
> prd-private-lan active yes yes
>
>
> virsh net-info nat-internet
> Name: nat-internet
> UUID: 4cff86b1-8e63-40be-ac9c-d3dcd405a9d3
> Active: yes
> Persistent: yes
> Autostart: yes
> Bridge: virbr1
>
>
>
> virsh net-dumpxml nat-internet
> <network connections='5'>
> <name>nat-internet</name>
> <uuid>4cff86b1-8e63-40be-ac9c-d3dcd405a9d3</uuid>
> <forward dev='eth0' mode='nat'>
> <nat>
> <port start='1024' end='65535'/>
> </nat>
> <interface dev='eth0'/>
> </forward>
> <bridge name='virbr1' stp='on' delay='0'/>
> <mac address='52:54:00:e4:ec:1b'/>
> <domain name='nat-internet'/>
> <ip address='192.168.100.1' netmask='255.255.255.0'>
> <dhcp>
> <range start='192.168.100.128' end='192.168.100.254'/>
> </dhcp>
> </ip>
> </network>
>
>
>
>
> here is the XML of the VM
>
>
>
> [root at ks3 boot]# virsh dumpxml Network
> <domain type='kvm' id='5'>
> <name>Network</name>
> <uuid>006ec4e9-028c-4fef-94ec-4e9efbab61ff</uuid>
> <memory unit='KiB'>1048576</memory>
> <currentMemory unit='KiB'>1048576</currentMemory>
> <vcpu placement='static'>1</vcpu>
> <resource>
> <partition>/machine</partition>
> </resource>
> <os>
> <type arch='x86_64' machine='pc-i440fx-2.4'>hvm</type>
> <kernel>/var/lib/libvirt/boot/vmlinuz</kernel>
> <initrd>/var/lib/libvirt/boot/initramfs.img</initrd>
> <cmdline>root=/dev/vda selinux=0 audit=0 console=ttyS0 nosplash quiet</cmdline>
> <boot dev='hd'/>
> </os>
> <features>
> <acpi/>
> <apic/>
> </features>
> <cpu mode='custom' match='exact'>
> <model fallback='allow'>SandyBridge</model>
> </cpu>
> <clock offset='utc'>
> <timer name='rtc' tickpolicy='catchup'/>
> <timer name='pit' tickpolicy='delay'/>
> <timer name='hpet' present='no'/>
> </clock>
> <on_poweroff>destroy</on_poweroff>
> <on_reboot>restart</on_reboot>
> <on_crash>restart</on_crash>
> <pm>
> <suspend-to-mem enabled='no'/>
> <suspend-to-disk enabled='no'/>
> </pm>
> <devices>
> <emulator>/usr/bin/qemu-kvm</emulator>
> <disk type='block' device='disk'>
> <driver name='qemu' type='raw' cache='none' io='native'/>
> <source dev='/dev/vault-storage/network-root'/>
> <backingStore/>
> <target dev='vda' bus='virtio'/>
> <alias name='virtio-disk0'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
> </disk>
> <disk type='block' device='disk'>
> <driver name='qemu' type='raw' cache='none' io='native'/>
> <source dev='/dev/vault-storage/network-bootswap'/>
> <backingStore/>
> <target dev='vdb' bus='virtio'/>
> <alias name='virtio-disk1'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
> </disk>
> <controller type='usb' index='0' model='ich9-ehci1'>
> <alias name='usb'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x7'/>
> </controller>
> <controller type='usb' index='0' model='ich9-uhci1'>
> <alias name='usb'/>
> <master startport='0'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0' multifunction='on'/>
> </controller>
> <controller type='usb' index='0' model='ich9-uhci2'>
> <alias name='usb'/>
> <master startport='2'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x1'/>
> </controller>
> <controller type='usb' index='0' model='ich9-uhci3'>
> <alias name='usb'/>
> <master startport='4'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x2'/>
> </controller>
> <controller type='pci' index='0' model='pci-root'>
> <alias name='pci.0'/>
> </controller>
> <controller type='virtio-serial' index='0'>
> <alias name='virtio-serial0'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
> </controller>
> <interface type='network'>
> <mac address='52:54:00:36:ac:80'/>
> <source network='nat-internet' bridge='virbr1'/>
> <target dev='vnet12'/>
> <model type='virtio'/>
> <alias name='net0'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
> </interface>
> <serial type='pty'>
> <source path='/dev/pts/5'/>
> <target port='0'/>
> <alias name='serial0'/>
> </serial>
> <console type='pty' tty='/dev/pts/5'>
> <source path='/dev/pts/5'/>
> <target type='serial' port='0'/>
> <alias name='serial0'/>
> </console>
> <channel type='unix'>
> <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/Network.org.qemu.guest_agent.0'/>
> <target type='virtio' name='org.qemu.guest_agent.0' state='connected'/>
> <alias name='channel0'/>
> <address type='virtio-serial' controller='0' bus='0' port='1'/>
> </channel>
> <input type='mouse' bus='ps2'/>
> <input type='keyboard' bus='ps2'/>
> <graphics type='spice' port='5904' autoport='yes' listen='127.0.0.1'>
> <listen type='address' address='127.0.0.1'/>
> </graphics>
> <video>
> <model type='cirrus' vram='16384' heads='1'/>
> <alias name='video0'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
> </video>
> <memballoon model='virtio'>
> <alias name='balloon0'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/>
> </memballoon>
> </devices>
> </domain>
>
>
> iptables-save
> # Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016
> *nat
> :PREROUTING ACCEPT [14895:623423]
> :INPUT ACCEPT [12645:432591]
> :OUTPUT ACCEPT [123:8518]
> :POSTROUTING ACCEPT [595:37490]
> -A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 6514 -j DNAT --to-destination 192.168.100.10:6514
> -A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.12:80
> -A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.100.12:443
> -A POSTROUTING -s 192.168.100.0/24 -d 224.0.0.0/24 -o eth0 -j RETURN
> -A POSTROUTING -s 192.168.100.0/24 -d 255.255.255.255/32 -o eth0 -j RETURN
> -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -p tcp -j MASQUERADE --to-ports 1024-65535
> -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -p udp -j MASQUERADE --to-ports 1024-65535
> -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Sat Jan 23 10:49:51 2016
> # Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016
> *mangle
> :PREROUTING ACCEPT [1212763:799851388]
> :INPUT ACCEPT [169753:18403044]
> :FORWARD ACCEPT [1043010:781448344]
> :OUTPUT ACCEPT [123913:208199933]
> :POSTROUTING ACCEPT [1166923:989648277]
> -A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> -A POSTROUTING -o virbr3 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> -A POSTROUTING -o virbr2 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> COMMIT
> # Completed on Sat Jan 23 10:49:51 2016
> # Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [120960:207745702]
> -A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
> -A INPUT -i virbr3 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i virbr3 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -i virbr3 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -i virbr3 -p tcp -m tcp --dport 67 -j ACCEPT
> -A INPUT -i virbr2 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -i virbr2 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET /w00tw00t.at.ISC .SANS." --algo bm --to 70 -j DROP
> -A INPUT -m set --match-set banned src -j DROP
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -d 192.168.100.12/32 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
> -A FORWARD -d 192.168.100.12/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
> -A FORWARD -d 192.168.100.10/32 -p tcp -m state --state NEW -m tcp --dport 6514 -j ACCEPT
> -A FORWARD -d 192.168.100.0/24 -i eth0 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 192.168.100.0/24 -i virbr1 -o eth0 -j ACCEPT
> -A FORWARD -i virbr1 -o virbr1 -j ACCEPT
> -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr3 -o virbr3 -j ACCEPT
> -A FORWARD -o virbr3 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr3 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr2 -o virbr2 -j ACCEPT
> -A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -m set --match-set banned src -j DROP
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> -A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
> -A OUTPUT -o virbr3 -p udp -m udp --dport 68 -j ACCEPT
> -A OUTPUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT
> COMMIT
> # Completed on Sat Jan 23 10:49:51 2016
>
>
>
> rpm -qa | grep libvirt
> libvirt-daemon-driver-nodedev-1.2.18.2-1.fc23.x86_64
> libvirt-daemon-driver-storage-1.2.18.2-1.fc23.x86_64
> libvirt-daemon-config-network-1.2.18.2-1.fc23.x86_64
> libvirt-daemon-1.2.18.2-1.fc23.x86_64
> libvirt-daemon-driver-secret-1.2.18.2-1.fc23.x86_64
> libvirt-daemon-driver-network-1.2.18.2-1.fc23.x86_64
> libvirt-daemon-driver-nwfilter-1.2.18.2-1.fc23.x86_64
> libvirt-daemon-driver-qemu-1.2.18.2-1.fc23.x86_64
> libvirt-daemon-kvm-1.2.18.2-1.fc23.x86_64
> libvirt-client-1.2.18.2-1.fc23.x86_64
> libvirt-daemon-driver-interface-1.2.18.2-1.fc23.x86_64
>
>
>
> rpm -qa | grep qemu
> qemu-common-2.4.1-5.fc23.x86_64
> qemu-kvm-2.4.1-5.fc23.x86_64
> qemu-img-2.4.1-5.fc23.x86_64
> ipxe-roms-qemu-20150407-3.gitdc795b9f.fc23.noarch
> libvirt-daemon-driver-qemu-1.2.18.2-1.fc23.x86_64
> qemu-system-x86-2.4.1-5.fc23.x86_64
>
>
> rpm -qa | grep kvm
> qemu-kvm-2.4.1-5.fc23.x86_64
> libvirt-daemon-kvm-1.2.18.2-1.fc23.x86_64
>
>
More information about the libvirt-users
mailing list