nwfilter: Use immediate packet delivery mode rather than buffering
Our nwfilter code doesn't set any timeout on the pcap packet buffer which means that when DHCP snooping is enabled on a guest interface and libvirt is trying to learn the IP address from guest's DHCP traffic, it takes up to 4x longer to ping a guest successfully compared to a case where nwfilter isn't enabled at all or libvirt uses the cached nwfilter leases to populate the corresponding rules to ebtables. With the pcap filter and rate limiting already in place, we should be able to afford enabling the immediate packet delivery, FWIW immediate mode was actually the default prior libpcap-1.5.0 (CentOS 6) regardless of whether a buffer was requested. The lack of any kind of timeout on the pcap buffer messed with the libvirt TCK test suite which, even with a generous timeout in place, timeouts every single time simply because it takes a while until guest actually starts producing any kind of traffic to fill up the buffer in place (apart from the DHCP traffic which happens fairly early on). Signed-off-by: NErik Skultety <eskultet@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
Showing
想要评论请 注册 或 登录