Hello, I have first a question (and then may be a problem), that I have difficulties to understand and eventually to investigate. On each of my guests VM, I see constantly a RX dropped number increasing , Even if the VM does nothing ! ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.100.15 netmask 255.255.255.0 broadcast 192.168.100.255 inet6 fe80::5054:ff:fe36:ac80 prefixlen 64 scopeid 0x20<link> ether 52:54:00:36:ac:80 txqueuelen 1000 (Ethernet) RX packets 1966 bytes 122391 (119.5 KiB) RX errors 0 dropped 1288 overruns 0 frame 0 TX packets 552 bytes 99939 (97.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 0 (Local Loopback) RX packets 4 bytes 340 (340.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 4 bytes 340 (340.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 (1) Is that a normal behaviour ? (2) Could you give me some hints where/how to investigate Here are a number of informations: - The virsh LAN setup - The VM XML description - iptables-save on the hosts - and then some packages version Thanks in advance Patrick My setup is as follow: An host running a Fedora 23 (minimal) and a VM guest running a Fedora 23 I have created 3 Networks , - 2 fully isolated ( mgt-private-lan and pre-private-lan) - 1 Nat via the host NIC Here after are the information related to the nat Network on which I have consistent increase of RX Dropped Packets virsh net-list Name State Autostart Persistent ---------------------------------------------------------- mgt-private-lan active yes yes nat-internet active yes yes prd-private-lan active yes yes virsh net-info nat-internet Name: nat-internet UUID: 4cff86b1-8e63-40be-ac9c-d3dcd405a9d3 Active: yes Persistent: yes Autostart: yes Bridge: virbr1 virsh net-dumpxml nat-internet <network connections='5'> <name>nat-internet</name> <uuid>4cff86b1-8e63-40be-ac9c-d3dcd405a9d3</uuid> <forward dev='eth0' mode='nat'> <nat> <port start='1024' end='65535'/> </nat> <interface dev='eth0'/> </forward> <bridge name='virbr1' stp='on' delay='0'/> <mac address='52:54:00:e4:ec:1b'/> <domain name='nat-internet'/> <ip address='192.168.100.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.100.128' end='192.168.100.254'/> </dhcp> </ip> </network> here is the XML of the VM [root@ks3 boot]# virsh dumpxml Network <domain type='kvm' id='5'> <name>Network</name> <uuid>006ec4e9-028c-4fef-94ec-4e9efbab61ff</uuid> <memory unit='KiB'>1048576</memory> <currentMemory unit='KiB'>1048576</currentMemory> <vcpu placement='static'>1</vcpu> <resource> <partition>/machine</partition> </resource> <os> <type arch='x86_64' machine='pc-i440fx-2.4'>hvm</type> <kernel>/var/lib/libvirt/boot/vmlinuz</kernel> <initrd>/var/lib/libvirt/boot/initramfs.img</initrd> <cmdline>root=/dev/vda selinux=0 audit=0 console=ttyS0 nosplash quiet</cmdline> <boot dev='hd'/> </os> <features> <acpi/> <apic/> </features> <cpu mode='custom' match='exact'> <model fallback='allow'>SandyBridge</model> </cpu> <clock offset='utc'> <timer name='rtc' tickpolicy='catchup'/> <timer name='pit' tickpolicy='delay'/> <timer name='hpet' present='no'/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <pm> <suspend-to-mem enabled='no'/> <suspend-to-disk enabled='no'/> </pm> <devices> <emulator>/usr/bin/qemu-kvm</emulator> <disk type='block' device='disk'> <driver name='qemu' type='raw' cache='none' io='native'/> <source dev='/dev/vault-storage/network-root'/> <backingStore/> <target dev='vda' bus='virtio'/> <alias name='virtio-disk0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/> </disk> <disk type='block' device='disk'> <driver name='qemu' type='raw' cache='none' io='native'/> <source dev='/dev/vault-storage/network-bootswap'/> <backingStore/> <target dev='vdb' bus='virtio'/> <alias name='virtio-disk1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/> </disk> <controller type='usb' index='0' model='ich9-ehci1'> <alias name='usb'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x7'/> </controller> <controller type='usb' index='0' model='ich9-uhci1'> <alias name='usb'/> <master startport='0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0' multifunction='on'/> </controller> <controller type='usb' index='0' model='ich9-uhci2'> <alias name='usb'/> <master startport='2'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x1'/> </controller> <controller type='usb' index='0' model='ich9-uhci3'> <alias name='usb'/> <master startport='4'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x2'/> </controller> <controller type='pci' index='0' model='pci-root'> <alias name='pci.0'/> </controller> <controller type='virtio-serial' index='0'> <alias name='virtio-serial0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> </controller> <interface type='network'> <mac address='52:54:00:36:ac:80'/> <source network='nat-internet' bridge='virbr1'/> <target dev='vnet12'/> <model type='virtio'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> <serial type='pty'> <source path='/dev/pts/5'/> <target port='0'/> <alias name='serial0'/> </serial> <console type='pty' tty='/dev/pts/5'> <source path='/dev/pts/5'/> <target type='serial' port='0'/> <alias name='serial0'/> </console> <channel type='unix'> <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/Network.org.qemu.guest_agent.0'/> <target type='virtio' name='org.qemu.guest_agent.0' state='connected'/> <alias name='channel0'/> <address type='virtio-serial' controller='0' bus='0' port='1'/> </channel> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> <graphics type='spice' port='5904' autoport='yes' listen='127.0.0.1'> <listen type='address' address='127.0.0.1'/> </graphics> <video> <model type='cirrus' vram='16384' heads='1'/> <alias name='video0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> <memballoon model='virtio'> <alias name='balloon0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/> </memballoon> </devices> </domain> iptables-save # Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016 *nat :PREROUTING ACCEPT [14895:623423] :INPUT ACCEPT [12645:432591] :OUTPUT ACCEPT [123:8518] :POSTROUTING ACCEPT [595:37490] -A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 6514 -j DNAT --to-destination 192.168.100.10:6514 -A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.12:80 -A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.100.12:443 -A POSTROUTING -s 192.168.100.0/24 -d 224.0.0.0/24 -o eth0 -j RETURN -A POSTROUTING -s 192.168.100.0/24 -d 255.255.255.255/32 -o eth0 -j RETURN -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Sat Jan 23 10:49:51 2016 # Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016 *mangle :PREROUTING ACCEPT [1212763:799851388] :INPUT ACCEPT [169753:18403044] :FORWARD ACCEPT [1043010:781448344] :OUTPUT ACCEPT [123913:208199933] :POSTROUTING ACCEPT [1166923:989648277] -A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A POSTROUTING -o virbr3 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A POSTROUTING -o virbr2 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT # Completed on Sat Jan 23 10:49:51 2016 # Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [120960:207745702] -A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -i virbr3 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr3 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr3 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr3 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -i virbr2 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr2 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET /w00tw00t.at.ISC .SANS." --algo bm --to 70 -j DROP -A INPUT -m set --match-set banned src -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -d 192.168.100.12/32 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A FORWARD -d 192.168.100.12/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A FORWARD -d 192.168.100.10/32 -p tcp -m state --state NEW -m tcp --dport 6514 -j ACCEPT -A FORWARD -d 192.168.100.0/24 -i eth0 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.100.0/24 -i virbr1 -o eth0 -j ACCEPT -A FORWARD -i virbr1 -o virbr1 -j ACCEPT -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr3 -o virbr3 -j ACCEPT -A FORWARD -o virbr3 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr3 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr2 -o virbr2 -j ACCEPT -A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -m set --match-set banned src -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT -A OUTPUT -o virbr3 -p udp -m udp --dport 68 -j ACCEPT -A OUTPUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT COMMIT # Completed on Sat Jan 23 10:49:51 2016 rpm -qa | grep libvirt libvirt-daemon-driver-nodedev-1.2.18.2-1.fc23.x86_64 libvirt-daemon-driver-storage-1.2.18.2-1.fc23.x86_64 libvirt-daemon-config-network-1.2.18.2-1.fc23.x86_64 libvirt-daemon-1.2.18.2-1.fc23.x86_64 libvirt-daemon-driver-secret-1.2.18.2-1.fc23.x86_64 libvirt-daemon-driver-network-1.2.18.2-1.fc23.x86_64 libvirt-daemon-driver-nwfilter-1.2.18.2-1.fc23.x86_64 libvirt-daemon-driver-qemu-1.2.18.2-1.fc23.x86_64 libvirt-daemon-kvm-1.2.18.2-1.fc23.x86_64 libvirt-client-1.2.18.2-1.fc23.x86_64 libvirt-daemon-driver-interface-1.2.18.2-1.fc23.x86_64 rpm -qa | grep qemu qemu-common-2.4.1-5.fc23.x86_64 qemu-kvm-2.4.1-5.fc23.x86_64 qemu-img-2.4.1-5.fc23.x86_64 ipxe-roms-qemu-20150407-3.gitdc795b9f.fc23.noarch libvirt-daemon-driver-qemu-1.2.18.2-1.fc23.x86_64 qemu-system-x86-2.4.1-5.fc23.x86_64 rpm -qa | grep kvm qemu-kvm-2.4.1-5.fc23.x86_64 libvirt-daemon-kvm-1.2.18.2-1.fc23.x86_64
Last, if in the VM I add “driver name = ‘emu’, after boot I have few dropped packets, but then it doesn’t increase anymore !> > <interface type='network'> > <mac address='52:54:00:36:ac:80'/> > <source network='nat-internet' bridge='virbr1'/> > <target dev='vnet12'/> > <model type='virtio’/><driver name=‘emu’/>> <alias name='net0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> > </interface>> On 23 Jan 2016, at 10:58, pichon <patrick@pichon.me> wrote: > > Hello, > > I have first a question (and then may be a problem), that I have difficulties to understand and eventually to investigate. > > On each of my guests VM, I see constantly a RX dropped number increasing , Even if the VM does nothing ! > > ifconfig > eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 192.168.100.15 netmask 255.255.255.0 broadcast 192.168.100.255 > inet6 fe80::5054:ff:fe36:ac80 prefixlen 64 scopeid 0x20<link> > ether 52:54:00:36:ac:80 txqueuelen 1000 (Ethernet) > RX packets 1966 bytes 122391 (119.5 KiB) > RX errors 0 dropped 1288 overruns 0 frame 0 > TX packets 552 bytes 99939 (97.5 KiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 > inet 127.0.0.1 netmask 255.0.0.0 > inet6 ::1 prefixlen 128 scopeid 0x10<host> > loop txqueuelen 0 (Local Loopback) > RX packets 4 bytes 340 (340.0 B) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 4 bytes 340 (340.0 B) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > > > (1) Is that a normal behaviour ? > (2) Could you give me some hints where/how to investigate > > > Here are a number of informations: > > - The virsh LAN setup > - The VM XML description > - iptables-save on the hosts > - and then some packages version > > Thanks in advance > Patrick > > > > My setup is as follow: > > An host running a Fedora 23 (minimal) and a VM guest running a Fedora 23 > > I have created 3 Networks , > - 2 fully isolated ( mgt-private-lan and pre-private-lan) > - 1 Nat via the host NIC > > Here after are the information related to the nat Network on which I have consistent increase of RX Dropped Packets > > virsh net-list > Name State Autostart Persistent > ---------------------------------------------------------- > mgt-private-lan active yes yes > nat-internet active yes yes > prd-private-lan active yes yes > > > virsh net-info nat-internet > Name: nat-internet > UUID: 4cff86b1-8e63-40be-ac9c-d3dcd405a9d3 > Active: yes > Persistent: yes > Autostart: yes > Bridge: virbr1 > > > > virsh net-dumpxml nat-internet > <network connections='5'> > <name>nat-internet</name> > <uuid>4cff86b1-8e63-40be-ac9c-d3dcd405a9d3</uuid> > <forward dev='eth0' mode='nat'> > <nat> > <port start='1024' end='65535'/> > </nat> > <interface dev='eth0'/> > </forward> > <bridge name='virbr1' stp='on' delay='0'/> > <mac address='52:54:00:e4:ec:1b'/> > <domain name='nat-internet'/> > <ip address='192.168.100.1' netmask='255.255.255.0'> > <dhcp> > <range start='192.168.100.128' end='192.168.100.254'/> > </dhcp> > </ip> > </network> > > > > > here is the XML of the VM > > > > [root@ks3 boot]# virsh dumpxml Network > <domain type='kvm' id='5'> > <name>Network</name> > <uuid>006ec4e9-028c-4fef-94ec-4e9efbab61ff</uuid> > <memory unit='KiB'>1048576</memory> > <currentMemory unit='KiB'>1048576</currentMemory> > <vcpu placement='static'>1</vcpu> > <resource> > <partition>/machine</partition> > </resource> > <os> > <type arch='x86_64' machine='pc-i440fx-2.4'>hvm</type> > <kernel>/var/lib/libvirt/boot/vmlinuz</kernel> > <initrd>/var/lib/libvirt/boot/initramfs.img</initrd> > <cmdline>root=/dev/vda selinux=0 audit=0 console=ttyS0 nosplash quiet</cmdline> > <boot dev='hd'/> > </os> > <features> > <acpi/> > <apic/> > </features> > <cpu mode='custom' match='exact'> > <model fallback='allow'>SandyBridge</model> > </cpu> > <clock offset='utc'> > <timer name='rtc' tickpolicy='catchup'/> > <timer name='pit' tickpolicy='delay'/> > <timer name='hpet' present='no'/> > </clock> > <on_poweroff>destroy</on_poweroff> > <on_reboot>restart</on_reboot> > <on_crash>restart</on_crash> > <pm> > <suspend-to-mem enabled='no'/> > <suspend-to-disk enabled='no'/> > </pm> > <devices> > <emulator>/usr/bin/qemu-kvm</emulator> > <disk type='block' device='disk'> > <driver name='qemu' type='raw' cache='none' io='native'/> > <source dev='/dev/vault-storage/network-root'/> > <backingStore/> > <target dev='vda' bus='virtio'/> > <alias name='virtio-disk0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/> > </disk> > <disk type='block' device='disk'> > <driver name='qemu' type='raw' cache='none' io='native'/> > <source dev='/dev/vault-storage/network-bootswap'/> > <backingStore/> > <target dev='vdb' bus='virtio'/> > <alias name='virtio-disk1'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/> > </disk> > <controller type='usb' index='0' model='ich9-ehci1'> > <alias name='usb'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x7'/> > </controller> > <controller type='usb' index='0' model='ich9-uhci1'> > <alias name='usb'/> > <master startport='0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0' multifunction='on'/> > </controller> > <controller type='usb' index='0' model='ich9-uhci2'> > <alias name='usb'/> > <master startport='2'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x1'/> > </controller> > <controller type='usb' index='0' model='ich9-uhci3'> > <alias name='usb'/> > <master startport='4'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x2'/> > </controller> > <controller type='pci' index='0' model='pci-root'> > <alias name='pci.0'/> > </controller> > <controller type='virtio-serial' index='0'> > <alias name='virtio-serial0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> > </controller> > <interface type='network'> > <mac address='52:54:00:36:ac:80'/> > <source network='nat-internet' bridge='virbr1'/> > <target dev='vnet12'/> > <model type='virtio'/> > <alias name='net0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> > </interface> > <serial type='pty'> > <source path='/dev/pts/5'/> > <target port='0'/> > <alias name='serial0'/> > </serial> > <console type='pty' tty='/dev/pts/5'> > <source path='/dev/pts/5'/> > <target type='serial' port='0'/> > <alias name='serial0'/> > </console> > <channel type='unix'> > <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/Network.org.qemu.guest_agent.0'/> > <target type='virtio' name='org.qemu.guest_agent.0' state='connected'/> > <alias name='channel0'/> > <address type='virtio-serial' controller='0' bus='0' port='1'/> > </channel> > <input type='mouse' bus='ps2'/> > <input type='keyboard' bus='ps2'/> > <graphics type='spice' port='5904' autoport='yes' listen='127.0.0.1'> > <listen type='address' address='127.0.0.1'/> > </graphics> > <video> > <model type='cirrus' vram='16384' heads='1'/> > <alias name='video0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> > </video> > <memballoon model='virtio'> > <alias name='balloon0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/> > </memballoon> > </devices> > </domain> > > > iptables-save > # Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016 > *nat > :PREROUTING ACCEPT [14895:623423] > :INPUT ACCEPT [12645:432591] > :OUTPUT ACCEPT [123:8518] > :POSTROUTING ACCEPT [595:37490] > -A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 6514 -j DNAT --to-destination 192.168.100.10:6514 > -A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.12:80 > -A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.100.12:443 > -A POSTROUTING -s 192.168.100.0/24 -d 224.0.0.0/24 -o eth0 -j RETURN > -A POSTROUTING -s 192.168.100.0/24 -d 255.255.255.255/32 -o eth0 -j RETURN > -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -p tcp -j MASQUERADE --to-ports 1024-65535 > -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -p udp -j MASQUERADE --to-ports 1024-65535 > -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -j MASQUERADE > COMMIT > # Completed on Sat Jan 23 10:49:51 2016 > # Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016 > *mangle > :PREROUTING ACCEPT [1212763:799851388] > :INPUT ACCEPT [169753:18403044] > :FORWARD ACCEPT [1043010:781448344] > :OUTPUT ACCEPT [123913:208199933] > :POSTROUTING ACCEPT [1166923:989648277] > -A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > -A POSTROUTING -o virbr3 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > -A POSTROUTING -o virbr2 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > COMMIT > # Completed on Sat Jan 23 10:49:51 2016 > # Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [120960:207745702] > -A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT > -A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT > -A INPUT -i virbr3 -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -i virbr3 -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -i virbr3 -p udp -m udp --dport 67 -j ACCEPT > -A INPUT -i virbr3 -p tcp -m tcp --dport 67 -j ACCEPT > -A INPUT -i virbr2 -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -i virbr2 -p udp -m udp --dport 67 -j ACCEPT > -A INPUT -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET /w00tw00t.at.ISC .SANS." --algo bm --to 70 -j DROP > -A INPUT -m set --match-set banned src -j DROP > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT > -A INPUT -j REJECT --reject-with icmp-host-prohibited > -A FORWARD -d 192.168.100.12/32 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT > -A FORWARD -d 192.168.100.12/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT > -A FORWARD -d 192.168.100.10/32 -p tcp -m state --state NEW -m tcp --dport 6514 -j ACCEPT > -A FORWARD -d 192.168.100.0/24 -i eth0 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -s 192.168.100.0/24 -i virbr1 -o eth0 -j ACCEPT > -A FORWARD -i virbr1 -o virbr1 -j ACCEPT > -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -i virbr3 -o virbr3 -j ACCEPT > -A FORWARD -o virbr3 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -i virbr3 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -i virbr2 -o virbr2 -j ACCEPT > -A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -m set --match-set banned src -j DROP > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > -A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT > -A OUTPUT -o virbr3 -p udp -m udp --dport 68 -j ACCEPT > -A OUTPUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT > COMMIT > # Completed on Sat Jan 23 10:49:51 2016 > > > > rpm -qa | grep libvirt > libvirt-daemon-driver-nodedev-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-driver-storage-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-config-network-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-driver-secret-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-driver-network-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-driver-nwfilter-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-driver-qemu-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-kvm-1.2.18.2-1.fc23.x86_64 > libvirt-client-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-driver-interface-1.2.18.2-1.fc23.x86_64 > > > > rpm -qa | grep qemu > qemu-common-2.4.1-5.fc23.x86_64 > qemu-kvm-2.4.1-5.fc23.x86_64 > qemu-img-2.4.1-5.fc23.x86_64 > ipxe-roms-qemu-20150407-3.gitdc795b9f.fc23.noarch > libvirt-daemon-driver-qemu-1.2.18.2-1.fc23.x86_64 > qemu-system-x86-2.4.1-5.fc23.x86_64 > > > rpm -qa | grep kvm > qemu-kvm-2.4.1-5.fc23.x86_64 > libvirt-daemon-kvm-1.2.18.2-1.fc23.x86_64 > >
Troels Arvin
2016-Jan-26 19:51 UTC
Re: [libvirt-users] RX dropped packets on guests subnets
pichon wrote: Hello, pichon wrote:> On each of my guests VM, I see constantly a RX dropped number increasing > , Even if the VM does nothing !I'm seeing the same phenomenon on one of our LANs (on another LAN, I don't see it). My setup is with RHEL 7, and it is seen on both physical and virtual servers. I don't see it on any RHEL 5 or 6 servers. A strange observation: If I start tcpdump, the package drops stop. (Setting the NIC in promisc mode does not have any impact; it has to be tcpdump.) I suspect that it has to do with this: https://www.netiq.com/support/kb/doc.php?id=7007165 If this is the case, it's simply because recent kernels classify packets, and then there's nothing to worry about. - But Red Hat Support does not share that view. I have an open case with Red Hat Support about it; lots of stuff has been tried, but we have yet to reach a conclusion. -- Troels
Hello, I’m using the Fedora 23 disturb, with recent kernel on all of my systems ( VMs and Physicals), I see the rx packet dropped only on VMs when I disable the virtio-net driver , by adding driver name=‘emu’ in the XML. But indeed if I started the tcpdump, the dropped stopped. Patrick> On 26 Jan 2016, at 20:51, Troels Arvin <troels@arvin.dk> wrote: > > pichon wrote: > > Hello, > > pichon wrote: >> On each of my guests VM, I see constantly a RX dropped number increasing >> , Even if the VM does nothing ! > > I'm seeing the same phenomenon on one of our LANs (on another LAN, I > don't see it). My setup is with RHEL 7, and it is seen on both physical > and virtual servers. I don't see it on any RHEL 5 or 6 servers. > > A strange observation: If I start tcpdump, the package drops stop. > (Setting the NIC in promisc mode does not have any impact; it has to be > tcpdump.) > > I suspect that it has to do with this: > https://www.netiq.com/support/kb/doc.php?id=7007165 > If this is the case, it's simply because recent kernels classify packets, > and then there's nothing to worry about. > > - But Red Hat Support does not share that view. I have an open case with > Red Hat Support about it; lots of stuff has been tried, but we have yet > to reach a conclusion. > > -- > Troels > > > _______________________________________________ > libvirt-users mailing list > libvirt-users@redhat.com > https://www.redhat.com/mailman/listinfo/libvirt-users >
Hello, For me it makes sense that the dropped stop when you are using tcpdump as you are indeed takes those packets ! For me the main question, is why such traffic is going to the VM ? Kind regards Patrick> On 26 Jan 2016, at 20:51, Troels Arvin <troels@arvin.dk> wrote: > > pichon wrote: > > Hello, > > pichon wrote: >> On each of my guests VM, I see constantly a RX dropped number increasing >> , Even if the VM does nothing ! > > I'm seeing the same phenomenon on one of our LANs (on another LAN, I > don't see it). My setup is with RHEL 7, and it is seen on both physical > and virtual servers. I don't see it on any RHEL 5 or 6 servers. > > A strange observation: If I start tcpdump, the package drops stop. > (Setting the NIC in promisc mode does not have any impact; it has to be > tcpdump.) > > I suspect that it has to do with this: > https://www.netiq.com/support/kb/doc.php?id=7007165 > If this is the case, it's simply because recent kernels classify packets, > and then there's nothing to worry about. > > - But Red Hat Support does not share that view. I have an open case with > Red Hat Support about it; lots of stuff has been tried, but we have yet > to reach a conclusion. > > -- > Troels > > > _______________________________________________ > libvirt-users mailing list > libvirt-users@redhat.com > https://www.redhat.com/mailman/listinfo/libvirt-users >
Arvin, Thanks a lot for pointing tcpdump. What I have observe is that the packets which seems to be dropped are STP related [root@network ~]# tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 23:15:37.967118 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e4:ec:1b.8003, length 35 23:15:39.967163 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e4:ec:1b.8003, length 35 23:15:41.967121 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e4:ec:1b.8003, length 35 23:15:43.967147 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e4:ec:1b.8003, length 35 23:15:45.967118 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e4:ec:1b.8003, length 35 23:15:47.967156 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e4:ec:1b.8003, length 35 23:15:49.967131 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e4:ec:1b.8003, length 35 23:15:51.967132 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e4:ec:1b.8003, length 35 23:15:53.967195 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e4:ec:1b.8003, length 35 23:15:55.967138 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e4:ec:1b.8003, length 35 23:15:57.967165 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e4:ec:1b.8003, length 35 Now, my main issue is that I observe those packets also in the disabled virtio-net driver (with driver name=qemu), but in that case, no packets are dropped So is that a different behaviour of the bvirtio-net when it is in Kernel mode and when it is in User space ? Patrick> On 26 Jan 2016, at 20:51, Troels Arvin <troels@arvin.dk> wrote: > > pichon wrote: > > Hello, > > pichon wrote: >> On each of my guests VM, I see constantly a RX dropped number increasing >> , Even if the VM does nothing ! > > I'm seeing the same phenomenon on one of our LANs (on another LAN, I > don't see it). My setup is with RHEL 7, and it is seen on both physical > and virtual servers. I don't see it on any RHEL 5 or 6 servers. > > A strange observation: If I start tcpdump, the package drops stop. > (Setting the NIC in promisc mode does not have any impact; it has to be > tcpdump.) > > I suspect that it has to do with this: > https://www.netiq.com/support/kb/doc.php?id=7007165 > If this is the case, it's simply because recent kernels classify packets, > and then there's nothing to worry about. > > - But Red Hat Support does not share that view. I have an open case with > Red Hat Support about it; lots of stuff has been tried, but we have yet > to reach a conclusion. > > -- > Troels > > > _______________________________________________ > libvirt-users mailing list > libvirt-users@redhat.com > https://www.redhat.com/mailman/listinfo/libvirt-users >
Apparently Analagous Threads
- guest A from virbr0 can talk to guest B in virbr1 but not vice versa
- Isolated networks && test lab
- Re: guest A from virbr0 can talk to guest B in virbr1 but not vice versa
- Re: guest A from virbr0 can talk to guest B in virbr1 but not vice versa
- Re: Isolated networks && test lab