Re: [libvirt-users] RX dropped packets on guests subnets

Last, if in the VM I add “driver name = ‘emu’, after boot I have few dropped packets, but then it doesn’t increase anymore ! <driver name=‘emu’/> > On 23 Jan 2016, at 10:58, pichon <patrick(a)pichon.me&gt; wrote: > > Hello, > > I have first a question (and then may be a problem), that I have difficulties to understand and eventually to investigate. > > On each of my guests VM, I see constantly a RX dropped number increasing , Even if the VM does nothing ! > > ifconfig > eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 192.168.100.15 netmask 255.255.255.0 broadcast 192.168.100.255 > inet6 fe80::5054:ff:fe36:ac80 prefixlen 64 scopeid 0x20<link> > ether 52:54:00:36:ac:80 txqueuelen 1000 (Ethernet) > RX packets 1966 bytes 122391 (119.5 KiB) > RX errors 0 dropped 1288 overruns 0 frame 0 > TX packets 552 bytes 99939 (97.5 KiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 > inet 127.0.0.1 netmask 255.0.0.0 > inet6 ::1 prefixlen 128 scopeid 0x10<host> > loop txqueuelen 0 (Local Loopback) > RX packets 4 bytes 340 (340.0 B) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 4 bytes 340 (340.0 B) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > > > (1) Is that a normal behaviour ? > (2) Could you give me some hints where/how to investigate > > > Here are a number of informations: > > - The virsh LAN setup > - The VM XML description > - iptables-save on the hosts > - and then some packages version > > Thanks in advance > Patrick > > > > My setup is as follow: > > An host running a Fedora 23 (minimal) and a VM guest running a Fedora 23 > > I have created 3 Networks , > - 2 fully isolated ( mgt-private-lan and pre-private-lan) > - 1 Nat via the host NIC > > Here after are the information related to the nat Network on which I have consistent increase of RX Dropped Packets > > virsh net-list > Name State Autostart Persistent > ---------------------------------------------------------- > mgt-private-lan active yes yes > nat-internet active yes yes > prd-private-lan active yes yes > > > virsh net-info nat-internet > Name: nat-internet > UUID: 4cff86b1-8e63-40be-ac9c-d3dcd405a9d3 > Active: yes > Persistent: yes > Autostart: yes > Bridge: virbr1 > > > > virsh net-dumpxml nat-internet > <network connections='5'> > <name>nat-internet</name> > <uuid>4cff86b1-8e63-40be-ac9c-d3dcd405a9d3</uuid> > <forward dev='eth0' mode='nat'> > <nat> > <port start='1024' end='65535'/> > </nat> > <interface dev='eth0'/> > </forward> > <bridge name='virbr1' stp='on' delay='0'/> > <mac address='52:54:00:e4:ec:1b'/> > <domain name='nat-internet'/> > <ip address='192.168.100.1' netmask='255.255.255.0'> > <dhcp> > <range start='192.168.100.128' end='192.168.100.254'/> > </dhcp> > </ip> > </network> > > > > > here is the XML of the VM > > > > [root@ks3 boot]# virsh dumpxml Network > <domain type='kvm' id='5'> > <name>Network</name> > <uuid>006ec4e9-028c-4fef-94ec-4e9efbab61ff</uuid> > <memory unit='KiB'>1048576</memory> > <currentMemory unit='KiB'>1048576</currentMemory> > <vcpu placement='static'>1</vcpu> > <resource> > <partition>/machine</partition> > </resource> > <os> > <type arch='x86_64' machine='pc-i440fx-2.4'>hvm</type> > <kernel>/var/lib/libvirt/boot/vmlinuz</kernel> > <initrd>/var/lib/libvirt/boot/initramfs.img</initrd> > <cmdline>root=/dev/vda selinux=0 audit=0 console=ttyS0 nosplash quiet</cmdline> > <boot dev='hd'/> > </os> > <features> > <acpi/> > <apic/> > </features> > <cpu mode='custom' match='exact'> > <model fallback='allow'>SandyBridge</model> > </cpu> > <clock offset='utc'> > <timer name='rtc' tickpolicy='catchup'/> > <timer name='pit' tickpolicy='delay'/> > <timer name='hpet' present='no'/> > </clock> > <on_poweroff>destroy</on_poweroff> > <on_reboot>restart</on_reboot> > <on_crash>restart</on_crash> > <pm> > <suspend-to-mem enabled='no'/> > <suspend-to-disk enabled='no'/> > </pm> > <devices> > <emulator>/usr/bin/qemu-kvm</emulator> > <disk type='block' device='disk'> > <driver name='qemu' type='raw' cache='none' io='native'/> > <source dev='/dev/vault-storage/network-root'/> > <backingStore/> > <target dev='vda' bus='virtio'/> > <alias name='virtio-disk0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/> > </disk> > <disk type='block' device='disk'> > <driver name='qemu' type='raw' cache='none' io='native'/> > <source dev='/dev/vault-storage/network-bootswap'/> > <backingStore/> > <target dev='vdb' bus='virtio'/> > <alias name='virtio-disk1'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/> > </disk> > <controller type='usb' index='0' model='ich9-ehci1'> > <alias name='usb'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x7'/> > </controller> > <controller type='usb' index='0' model='ich9-uhci1'> > <alias name='usb'/> > <master startport='0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0' multifunction='on'/> > </controller> > <controller type='usb' index='0' model='ich9-uhci2'> > <alias name='usb'/> > <master startport='2'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x1'/> > </controller> > <controller type='usb' index='0' model='ich9-uhci3'> > <alias name='usb'/> > <master startport='4'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x2'/> > </controller> > <controller type='pci' index='0' model='pci-root'> > <alias name='pci.0'/> > </controller> > <controller type='virtio-serial' index='0'> > <alias name='virtio-serial0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> > </controller> > <interface type='network'> > <mac address='52:54:00:36:ac:80'/> > <source network='nat-internet' bridge='virbr1'/> > <target dev='vnet12'/> > <model type='virtio'/> > <serial type='pty'> > <source path='/dev/pts/5'/> > <target port='0'/> > <alias name='serial0'/> > </serial> > <console type='pty' tty='/dev/pts/5'> > <source path='/dev/pts/5'/> > <target type='serial' port='0'/> > <alias name='serial0'/> > </console> > <channel type='unix'> > <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/Network.org.qemu.guest_agent.0'/> > <target type='virtio' name='org.qemu.guest_agent.0' state='connected'/> > <alias name='channel0'/> > <address type='virtio-serial' controller='0' bus='0' port='1'/> > </channel> > <input type='mouse' bus='ps2'/> > <input type='keyboard' bus='ps2'/> > <graphics type='spice' port='5904' autoport='yes' listen='127.0.0.1'> > <listen type='address' address='127.0.0.1'/> > </graphics> > <video> > <model type='cirrus' vram='16384' heads='1'/> > <alias name='video0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> > </video> > <memballoon model='virtio'> > <alias name='balloon0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/> > </memballoon> > </devices> > </domain> > > > iptables-save > # Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016 > *nat > :PREROUTING ACCEPT [14895:623423] > :INPUT ACCEPT [12645:432591] > :OUTPUT ACCEPT [123:8518] > :POSTROUTING ACCEPT [595:37490] > -A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 6514 -j DNAT --to-destination 192.168.100.10:6514 > -A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.12:80 > -A PREROUTING -d 151.80.45.157/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.100.12:443 > -A POSTROUTING -s 192.168.100.0/24 -d 224.0.0.0/24 -o eth0 -j RETURN > -A POSTROUTING -s 192.168.100.0/24 -d 255.255.255.255/32 -o eth0 -j RETURN > -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -p tcp -j MASQUERADE --to-ports 1024-65535 > -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -p udp -j MASQUERADE --to-ports 1024-65535 > -A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -o eth0 -j MASQUERADE > COMMIT > # Completed on Sat Jan 23 10:49:51 2016 > # Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016 > *mangle > :PREROUTING ACCEPT [1212763:799851388] > :INPUT ACCEPT [169753:18403044] > :FORWARD ACCEPT [1043010:781448344] > :OUTPUT ACCEPT [123913:208199933] > :POSTROUTING ACCEPT [1166923:989648277] > -A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > -A POSTROUTING -o virbr3 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > -A POSTROUTING -o virbr2 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > COMMIT > # Completed on Sat Jan 23 10:49:51 2016 > # Generated by iptables-save v1.4.21 on Sat Jan 23 10:49:51 2016 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [120960:207745702] > -A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT > -A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT > -A INPUT -i virbr3 -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -i virbr3 -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -i virbr3 -p udp -m udp --dport 67 -j ACCEPT > -A INPUT -i virbr3 -p tcp -m tcp --dport 67 -j ACCEPT > -A INPUT -i virbr2 -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -i virbr2 -p udp -m udp --dport 67 -j ACCEPT > -A INPUT -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET /w00tw00t.at.ISC .SANS." --algo bm --to 70 -j DROP > -A INPUT -m set --match-set banned src -j DROP > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT > -A INPUT -j REJECT --reject-with icmp-host-prohibited > -A FORWARD -d 192.168.100.12/32 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT > -A FORWARD -d 192.168.100.12/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT > -A FORWARD -d 192.168.100.10/32 -p tcp -m state --state NEW -m tcp --dport 6514 -j ACCEPT > -A FORWARD -d 192.168.100.0/24 -i eth0 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -s 192.168.100.0/24 -i virbr1 -o eth0 -j ACCEPT > -A FORWARD -i virbr1 -o virbr1 -j ACCEPT > -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -i virbr3 -o virbr3 -j ACCEPT > -A FORWARD -o virbr3 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -i virbr3 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -i virbr2 -o virbr2 -j ACCEPT > -A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -m set --match-set banned src -j DROP > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > -A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT > -A OUTPUT -o virbr3 -p udp -m udp --dport 68 -j ACCEPT > -A OUTPUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT > COMMIT > # Completed on Sat Jan 23 10:49:51 2016 > > > > rpm -qa | grep libvirt > libvirt-daemon-driver-nodedev-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-driver-storage-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-config-network-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-driver-secret-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-driver-network-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-driver-nwfilter-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-driver-qemu-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-kvm-1.2.18.2-1.fc23.x86_64 > libvirt-client-1.2.18.2-1.fc23.x86_64 > libvirt-daemon-driver-interface-1.2.18.2-1.fc23.x86_64 > > > > rpm -qa | grep qemu > qemu-common-2.4.1-5.fc23.x86_64 > qemu-kvm-2.4.1-5.fc23.x86_64 > qemu-img-2.4.1-5.fc23.x86_64 > ipxe-roms-qemu-20150407-3.gitdc795b9f.fc23.noarch > libvirt-daemon-driver-qemu-1.2.18.2-1.fc23.x86_64 > qemu-system-x86-2.4.1-5.fc23.x86_64 > > > rpm -qa | grep kvm > qemu-kvm-2.4.1-5.fc23.x86_64 > libvirt-daemon-kvm-1.2.18.2-1.fc23.x86_64 > >