Network update disrupts network usage
I have asked about this situation on the libvirt-users list and it seems that this is a weakness of libvirt rather than an usage error, so here is an issue for it.
I am encountering problems with network connections from VMs while running net-update on the host.
I am using libvirt in the context of an automated test system which creates and destroys VMs fairly rapidly, hence network updates occur often.
Reproducer
The issue can be reproduced as follows.
Run in a VM:
$ while true; do curl --max-time 5 https://www.google.com/ > /dev/null; sleep 1; done
These curl invocations succeed reliably.
Now at the same time, run on the host:
$ while true; do virsh net-update default add ip-dhcp-host "<host mac='52:54:00:ff:ff:ff' ip='192.168.122.240'/>" --live --config; virsh net-update default delete ip-dhcp-host "<host mac='52:54:00:ff:ff:ff' ip='192.168.122.240'/>" --live --config; done
The curl invocations now sometimes succeed, sometimes error out with "Connection refused" and sometimes time out.
I have reproduced this on Ubuntu 18.04 with libvirt 4.7.0 and on
Ubuntu 20.04 with libvirt 6.0.0. The network has <forward mode='nat'/>
.
Analysis
The issue appears to relate to the iptables manipulations performed by libvirt when net-update is used. Various rules disappear temporarily, such as these ones:
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
It would be better if net-update did not temporarily remove the iptables rules when it makes no changes to them.