[pve-devel] [PATCH docs/manager/qemu-server v2 0/3] Make VirtIO network devices always inherit MTU from bridge

Tue Apr 22 13:33:53 CEST 2025

On 4/18/25 09:46, Thomas Lamprecht wrote:
> Am 17.04.25 um 12:48 schrieb Stefan Hanreich:
>> The current default behavior for VirtIO network devices is to default to 1500
>> MTU, unless otherwise specified. This is inconvenient in cases where the MTU is
>> not the default value (e.g. for VXLAN VNets or bridges with jumbo frames).
>> Containers already inherit the MTU of the bridge, if not set, so change the
>> behavior of VMs to be more in line with containers. This also makes using
>> non-standard MTUs more convenient and less error-prone since users do not have
>> to remember setting the MTU everytime they configure a network device on such a
>> brige.
> 
> Hmm, does this have regression potential for bridges with a too high MTU?
> I.e., one where the MTU works for LAN but not for anything going beyond that,
> which is odd but can be working fine I think? At least as long as no host and
> no CT uses this bridge for communicating with endpoints outside the LAN.

In that case, traffic going outside the LAN has to go through a router,
which has to handle routing between networks with different MTU. Either
by fragmenting packets or dropping them and sending an ICMP
'fragmentation needed'. Of course that setup is far from optimal, but it
should work. Not 100% sure if that is what you meant, correct me if I
misunderstood something.

With this patch we're setting the MTU of the NIC to the MTU that is set
on the bridge already, so the bridge would have already dropped packets
that are too large.

If the MTU of the bridge was larger than 1500, but the NIC was set to
1500, then the VM was just sending packets that are too small, but the
setup would work, assuming the bridge MTU is the correct one for the
network.

A possible regression I can think of is: If the bridge was set to the
wrong MTU (e.g. 9000) at some point, but external devices in the same
LAN are still set to use a lower MTU (e.g. 1500). If users never
configured the larger MTU anywhere else besides the bridge, then this
would break.

If the MTU of the bridge was smaller than 1500, but the NIC is set to
1500 (which is the case with SDN VXLAN bridges), then this would be
discovered quite quickly in most cases since network packets would get
dropped. This change would fix such existing broken setups.

> FWIW, we could also tie this behavior to a machine version to avoid changing
> the behavior for any existing VM. But I would be fine with applying this only
> for PVE 9 then and add a notice to the pve8to9 checker script that lists all
> VMs that will change their MTU including the respective value.

I think it would be a good idea to include this in pve8to9 with warnings
at least and mention it in the release notes. It might make for some
noise and unsettle some users though. Since we cannot really tell what
MTU is set inside the VM, we'd have to show warnings for basically every
 network device on a bridge with MTU != 1500.

Would also be open to tie this to a new machine version if we want to be
really careful and avoid the unnecessary warnings.