Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Qemu-emulated NICs don't work for inter-VM traffic #700

Closed
marmarek opened this issue Mar 8, 2015 · 3 comments
Closed

Qemu-emulated NICs don't work for inter-VM traffic #700

marmarek opened this issue Mar 8, 2015 · 3 comments
Labels
C: Xen P: major Priority: major. Between "default" and "critical" in severity. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Milestone
Release 2 Beta 2

Comments

@marmarek
Copy link
Member

marmarek commented Mar 8, 2015

Reported by joanna on 2 Jan 2013 11:25 UTC
Inter-appvm traffic doesn't work when one of the AppVMs is an HVM and uses qemu-emulated networking (this is that case e.g. when one have some older Linux distro as one of the HVM).

Steps to reproduce:

  1. Install an older Linux distro as an HVM (I installed Ubuntu 10.04 i386)
  2. Start some normal AppVM
  3. Setup inter-appvm networking between the AppVM and the HVM, according to the instructions here:

https://wiki.qubes-os.org/trac/wiki/QubesFirewall

  1. Try pinging the HVM from AppVM -- this should work
  2. Try ssh (or use any other tcp/udp connection, even netcat) to the HVM -- this would not work, surprisingly.

Note, if, instead of an older Ubuntu I use the very recent Ubuntu 12.10 (that has xen pv drivers builtin), the above setup works fine.

Also, note that the networking in the HVM (the old ubuntu) actually works fine -- I can e.g. browse the web fine. So, the traffic that comes from the outside world, and which arrive to the HVM interfaces is processed fine. But the traffic (other than ICMP!) that arrives from other AppVMs (or even from the FirewallVM) is... discarded. Specifically, when I run tcpdump in the HVM, I can see the incoming SYN packates (e.g. to SSH port) but I see not SYN|ACK nor RST packets being generated in response. It seems like the HVM's kernel is discarding the incoming packets before sending them down the TCP stack (but, again, the ICMP request packets are processes correctly, and ICMP responses are generated).

Quite a strange case...

Migrated-From: https://wiki.qubes-os.org/ticket/700
@marmarek
Copy link
Member Author

marmarek commented Mar 8, 2015

Modified by joanna on 2 Jan 2013 11:33 UTC

@marmarek marmarek added this to the Release 2 Beta 2 milestone Mar 8, 2015
@marmarek marmarek added T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. C: Xen P: major Priority: major. Between "default" and "critical" in severity. labels Mar 8, 2015
@marmarek
Copy link
Member Author

marmarek commented Mar 8, 2015

Comment by marmarek on 8 Jan 2013 02:03 UTC
The problem looks to be not working tx-checksumming offload in xen-netfront. When I turn it off in source VM, tcp connections start working:

ethtool -K eth0 tx off

It have worked for outside traffic because real network device (in netvm) have working this offload, so calculated checksum correctly. ICMP was working most likely because if was calculated by the kernel, not left for the offload.

@marmarek
Copy link
Member Author

marmarek commented Mar 8, 2015

Comment by marmarek on 8 Jan 2013 02:04 UTC
http://git.qubes-os.org/?p=marmarek/core.git;a=commit;h=84375c356752073231ce1dab36e5cd45027bb600

@marmarek marmarek closed this as completed Mar 8, 2015
@marmarek marmarek mentioned this issue Mar 18, 2022
Merged
DemiMarie added a commit to DemiMarie/qubes-core-agent-linux that referenced this issue Mar 18, 2022
@DemiMarie
Turn on scatter-gather and checksum offload
045e85e 
Checksum offload was turned off in QubesOS/qubes-issues#700 due to a bug
that is unlikely to still be relevant.  Scatter-gather was turned off
for unclear reasons that are also unlikely to be relevant nowadays.
This should significantly improve networking performance.

Fixes QubesOS/qubes-issues#3510.
marmarek pushed a commit to QubesOS/qubes-core-agent-linux that referenced this issue Apr 13, 2022
@DemiMarie @marmarek
Turn on scatter-gather and checksum offload
4e79e53 
Checksum offload was turned off in QubesOS/qubes-issues#700 due to a bug
that is unlikely to still be relevant.  Scatter-gather was turned off
for unclear reasons that are also unlikely to be relevant nowadays.
This should significantly improve networking performance.

Fixes QubesOS/qubes-issues#3510.

(cherry picked from commit 045e85e)
marmarek pushed a commit to QubesOS/qubes-core-agent-linux that referenced this issue Apr 13, 2022
@DemiMarie @marmarek
Turn on scatter-gather and checksum offload
9fcb65d 
Checksum offload was turned off in QubesOS/qubes-issues#700 due to a bug
that is unlikely to still be relevant.  Scatter-gather was turned off
for unclear reasons that are also unlikely to be relevant nowadays.
This should significantly improve networking performance.

Fixes QubesOS/qubes-issues#3510.

(cherry picked from commit 045e85e)
Closed
@qubesos-bot qubesos-bot mentioned this issue Oct 26, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: Xen P: major Priority: major. Between "default" and "critical" in severity. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Milestone
Release 2 Beta 2
Development

No branches or pull requests
1 participant
@marmarek