Improper TCP/IP packet splitting on e1000e/vmxnet3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Expired
|
Undecided
|
Unassigned |
Bug Description
Update: The sw implementation of fragmentation also creates malformed IPv6 packets when their size is above the MTU. See comment #3
Problem Description:
When using a tap interface and the guest sends a TCP packet that would need to be segmented, it is fragmented using IP fragmentation. The host does not reassemble the IP fragments and forwards them to the next hop. This causes issues on certain ISPs, which seemingly reject IP fragments(Verizon Fios).
This issue occurs on the e1000e and vmxnet3 NIC models, and possibly others. It does not occur on the virtio(which passes the entire packet through to the host w/o fragmentation or segmentation) or the e1000 model().
Test scenario:
Setup a tap and network bridge using the directions here: https:/
Boot the machine into any modern guest(a Fedora 31 live iso was used for testing)
Begin a wireshark capture on the host machine
On the host(or another machine on the network) run: npx http-echo-
On the guest run
Curl -d “Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas venenatis viverra ipsum, ac tincidunt est rhoncus eu. Suspendisse vehicula congue ante, non rhoncus elit tempus vitae. Duis ac leo massa. Donec rutrum condimentum turpis nec ultricies. Duis laoreet elit eu arcu pulvinar, vitae congue neque mattis. Mauris sed ante nunc. Vestibulum vitae urna a tellus maximus sagittis. Vivamus luctus pellentesque neque, vel tempor purus porta ut. Phasellus at quam bibendum, fermentum libero sit amet, ullamcorper mauris. In rutrum sit amet dui id maximus. Ut lectus ligula, hendrerit nec aliquam non, finibus a turpis. Proin scelerisque convallis ante, et pharetra elit. Donec nunc nisl, viverra vitae dui at, posuere rhoncus nibh. Mauris in massa quis neque posuere placerat quis quis massa. Donec quis lacus ligula. Donec mollis vel nisi eget elementum. Nam id magna porta nunc consectetur efficitur ac quis lorem. Cras faucibus vel ex porttitor mattis. Praesent in mattis tortor. In venenatis convallis quam, in posuere nibh. Proin non dignissim massa. Cras at mi ut lorem tristique fringilla. Nulla ac quam condimentum metus tincidunt vulputate ut at leo. Nunc pellentesque, nunc vel rhoncus condimentum, arcu sem molestie augue, in suscipit mauris odio mollis odio. Integer hendrerit lectus a leo facilisis, in accumsan urna maximus. Nam nec odio volutpat, varius est id, tempus libero. Vestibulum lobortis tortor quam, ac scelerisque urna rhoncus in. Etiam tempor, est sit amet vulputate molestie, urna neque sodales leo, sit amet blandit risus felis sed est. Nulla eu eros nec tortor dapibus maximus faucibus ut erat. Ut pharetra tempor massa in bibendum. Interdum et malesuada fames ac ante ipsum primis in faucibus. Etiam mattis molestie felis eu efficitur. Morbi tincidunt consectetur diam tincidunt feugiat. Morbi euismod ut lorem finibus pellentesque. Aliquam eu porta ex. Aliquam cursus, orci sit amet volutpat egestas, est est pulvinar erat, sed luctus nisl ligula eget justo vestibulum.” <ECHOSERVERIP:PORT>
2000 bytes of Lorem Ipsum taken from https:/
Compare results from an e1000, a virtio, and a e1000e card:
+------
| Model | Fragment | Segment | Wire Size |
+------
| e1000e | Yes | NO | 1484 + 621 |
+------
| e1000 | No | Yes | 1516 + 620 |
+------
| Virtio | NO | NO | 2068 |
+------
Expected Results:
TCP Segment to proper size OR pass full size to host and let the host split if necessary.
Configuration changes that did not work:
Disable host, guest, router firewalls
Different Hosts
Different Physical NICs
Libvirt based NAT/Routed modes
Fedora 32 vs 31
Qemu 4.2.0 vs github commit d74824cf7c8b352
System Information:
lsb_release -rd
Description: Fedora release 32 (Thirty Two)
Release: 32
uname -a
Linux pats-laptop-linux 5.7.10-
I can provide additional logs, debug info, etc. if needed.
After reading through some of the code for the e1000, e1000e, and vmxnet3 device models, it appears that all 3 are capable of performing tcp segementation, however, in the net_tx_pkt_send function, there is a check
if (pkt->has_virt_hdr ||
pkt->virt_ hdr.gso_ type == VIRTIO_ NET_HDR_ GSO_NONE)
that if true will send the tcp segmented packets. However, if false, it will do IP fragmentation instead. I could not easily decipher what determines whether or not the pkt->has_virt_hdr value would be true or false.
What differs is that in the e1000, there is no such check. It directly calls qemu_send_packet without first going through the net_tx_pkt_send.
I will have to add in some debug prints on my local build to confirm that the tcp fragments are being created and then ignored.