From owner-freebsd-xen@freebsd.org Wed Oct 14 16:22:12 2015 Return-Path: Delivered-To: freebsd-xen@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 54D97A13D43 for ; Wed, 14 Oct 2015 16:22:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 40F9AA04 for ; Wed, 14 Oct 2015 16:22:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t9EGMCFQ008434 for ; Wed, 14 Oct 2015 16:22:12 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-xen@FreeBSD.org Subject: [Bug 154428] [xen] xn0 network interface and PF - Massive performance drop Date: Wed, 14 Oct 2015 16:22:11 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-xen@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-xen@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussion of the freebsd port to xen - implementation and usage List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2015 16:22:12 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=154428 --- Comment #15 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Wed Oct 14 16:21:41 UTC 2015 New revision: 289316 URL: https://svnweb.freebsd.org/changeset/base/289316 Log: pf: Fix TSO issues In certain configurations (mostly but not exclusively as a VM on Xen) pf produced packets with an invalid TCP checksum. The problem was that pf could only handle packets with a full checksum. The FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only addresses, length and protocol). Certain network interfaces expect to see the pseudo-header checksum, so they end up producing packets with invalid checksums. To fix this stop calculating the full checksum and teach pf to only update TCP checksums if TSO is disabled or the change affects the pseudo-header checksum. PR: 154428, 193579, 198868 Reviewed by: sbruno MFC after: 1 week Relnotes: yes Sponsored by: RootBSD Differential Revision: https://reviews.freebsd.org/D3779 Changes: head/sys/net/pfvar.h head/sys/netpfil/pf/pf.c head/sys/netpfil/pf/pf_ioctl.c head/sys/netpfil/pf/pf_norm.c -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-xen@freebsd.org Wed Oct 14 22:32:21 2015 Return-Path: Delivered-To: freebsd-xen@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2D14A12B19 for ; Wed, 14 Oct 2015 22:32:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8DCFA1547 for ; Wed, 14 Oct 2015 22:32:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t9EMWLNh000297 for ; Wed, 14 Oct 2015 22:32:21 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-xen@FreeBSD.org Subject: [Bug 154428] [xen] xn0 network interface and PF - Massive performance drop Date: Wed, 14 Oct 2015 22:32:21 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: alex@ahhyes.net X-Bugzilla-Status: In Progress X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-xen@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-xen@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussion of the freebsd port to xen - implementation and usage List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2015 22:32:21 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=154428 --- Comment #16 from Alex --- Good to see some resolution to this. But seriously: 2011-02-01 12:30:09 AEDT That's when I opened this PR. Why has it taken over 4 years to fix???? Bit long long in the tooth? Anyway. Better late than never. Kudos to those who actually did something about fixing this issue. Alex. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-xen@freebsd.org Thu Oct 15 14:40:52 2015 Return-Path: Delivered-To: freebsd-xen@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D2AE0A157BD for ; Thu, 15 Oct 2015 14:40:52 +0000 (UTC) (envelope-from prvs=7236e92fb=roger.pau@citrix.com) Received: from SMTP02.CITRIX.COM (smtp02.citrix.com [66.165.176.63]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mail.citrix.com", Issuer "Verizon Public SureServer CA G14-SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 70076163A for ; Thu, 15 Oct 2015 14:40:52 +0000 (UTC) (envelope-from prvs=7236e92fb=roger.pau@citrix.com) X-IronPort-AV: E=Sophos;i="5.17,686,1437436800"; d="scan'208";a="310599388" Subject: Re: [Xen-users] forcing HVM to specific network model with PV-aware FreeBSD DomU To: Andreas Pflug , References: <561F8065.5000807@pse-consulting.de> From: =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= X-Enigmail-Draft-Status: N1110 CC: FreeBSD XEN Message-ID: <561FBAA4.50700@citrix.com> Date: Thu, 15 Oct 2015 16:39:32 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <561F8065.5000807@pse-consulting.de> Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit X-DLP: MIA1 X-BeenThere: freebsd-xen@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussion of the freebsd port to xen - implementation and usage List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Oct 2015 14:40:52 -0000 Hello, Adding the freebsd-xen mailing list since somebody might be able to provide better advice than me regarding network stuff. El 15/10/15 a les 12.31, Andreas Pflug ha escrit: > Hi! > > For quite a while, I've been running several pfSense firewall DomUs up > to version 2.15 on Xen. Since the FreeBSD kernel 8.3 of pfSense wasn't > xen-aware the model e1000 was used, and I had all networking features as > expected though performance was degraded. > > When the new pfSense 2.2 was introduced, the kernel changed to FreeBSD > 10.1 which now (finally!) includes a xen netfront driver, promising a > vastly improved performance. Unfortunately, its implementation is quite > sketchy: > - offloading issues, which can be worked around by disabling tx > offloading using a custom vif-script Is this related to the long-standing pf+TSO issues? There's a recent commit that should solve it: https://svnweb.freebsd.org/base?view=revision&revision=289316 There seems to be plans to issue an EN for that one, so you might be able to get it by just using freebsd-update (or whatever pfSense uses) without having to wait for a new stable release. > - VLANs are not supported. Can be achieved with multiple bridges in > Dom0, if 8 are enough. If you need more, you're out of luck. > - ALTQ not supported. No known workaround, preventing any traffic shaping. Sadly I'm not aware of anyone working on this two items. Any pickers? > On the FreeBSD side, it is said that the xn xen netfront driver can't be > disabled at boot time, unless a custom kernel is built (certainly not > desirable regarding security updates), so: > > How can I disable xen-netback drivers for a specific HVM? It should > respect the "model=e1000" setting (or maybe virtio?). I'm running Xen > 4.4 on Debian. I've recently committed a patch to HEAD in order to disable PV nics or disks on request: https://svnweb.freebsd.org/base?view=revision&revision=286999 I will backport it to stable-10 soon to make sure it's on the next stable release (FreeBSD 10.3). Apart from that, there's not much we can do now. Roger. From owner-freebsd-xen@freebsd.org Thu Oct 15 15:13:10 2015 Return-Path: Delivered-To: freebsd-xen@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B0F72A15F80 for ; Thu, 15 Oct 2015 15:13:10 +0000 (UTC) (envelope-from pgadmin@pse-consulting.de) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.13]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.kundenserver.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 69D351786 for ; Thu, 15 Oct 2015 15:13:09 +0000 (UTC) (envelope-from pgadmin@pse-consulting.de) Received: from pse.homenet.org ([92.77.248.109]) by mrelayeu.kundenserver.de (mreue104) with ESMTPSA (Nemesis) id 0MTP9j-1aBBbm0rhf-00SR8X; Thu, 15 Oct 2015 17:13:01 +0200 Received: from [192.168.0.8] (helo=pse8.local) by pse.homenet.org with esmtp (Exim 4.84) (envelope-from ) id 1ZmkDE-0003Rv-0o; Thu, 15 Oct 2015 17:13:00 +0200 Subject: Re: [Xen-users] forcing HVM to specific network model with PV-aware FreeBSD DomU To: =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= , xen-users@lists.xen.org References: <561F8065.5000807@pse-consulting.de> <561FBAA4.50700@citrix.com> Cc: FreeBSD XEN From: Andreas Pflug X-Enigmail-Draft-Status: N1110 Message-ID: <561FC27B.5070103@pse-consulting.de> Date: Thu, 15 Oct 2015 17:12:59 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <561FBAA4.50700@citrix.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K0:zTf1i8hYt6v6PkKejrHarePXsq8xevCJY4eR7VnYKCuAL5NY6OZ WmYLStoZagnmTf+KN8SH5qUPGeYeJ6XHzr7gACIUEICxhWeayqieIVSCbSuaqN+B6UgysHn FqVxd3poZo9FD++N/veQdIWkkR4GgmeXGUSNzyF1NNWLFcqGTCskXziq7CRYmnSRnJAVwNW S0kPd7LDp8dAPOGRhJh1g== X-UI-Out-Filterresults: notjunk:1;V01:K0:ODCr7PI/wl8=:JD4wToop6cL5fuPmhAHKyG Loycsu9XzYxAt5bZzi2UtvZRd79MSVJvj3zvs8onhlFHhRUWgciCKpnQ2sZZ23tFgwv11mWMH RRHD0/z8yHJmEiD6/TmCuMWZs6Z7eHuP5BPo7GC0fUQfzpuqZ1LjNG7mhJD1c5VcrxSttyeub tPpcVEts8xBR67iEMEKoPDOKvmktIiDfbI4nLolo2JYZzX7ySsDBo6PFGy5W+OVRqRucwZRvX lPnJarmQpbORPSpWWPkzPCfIWCEhoh5qTU+Epy2evOdm/SaorBd37pBlafTylozAepmzIO6g/ R+Rt8D7km+sHPHzV1jnlEELrMCGYU8pNuRENsrs7ZQtjKGVujhDug2K1WpwyLw4+YFlynkCr8 3zRE2XfuXm3e2MJ/cVDWvApPMCD+ZBamxu/lJZ7uwiD8zRqodwGn5cA384xwFB2u8D+vd99IZ ohAeF7lgfNQ5WlPsJt0sbg/P0C+E3xLEWciGt2ojuz33fWSb0u5YW2hne/f/AJnjDC/OFOfyN bI7u4vt7f9lnC4pTrHLgs+if6CQ8WjcWvQyHjMcY42zEpAR9PE2fhVnXh3KIwVkf5VEuU5aqj G2uNlnABK9NLCeVYa2R71GJUr0gmlUdNv1yFh6wBGyXBFSQckMWH3ZHQlng1+R3L+nuhsr3tc HhfM7yOSEqzaZcrn9xsCQCEupKoX3eOndnVsgQi/XsaKCDzN+EbJDtRgOkZP2j9+dPdXtuOml avJ51+wCfAH5bOVn X-BeenThere: freebsd-xen@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussion of the freebsd port to xen - implementation and usage List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Oct 2015 15:13:10 -0000 Am 15.10.15 um 16:39 schrieb Roger Pau Monné: > Hello, > > Adding the freebsd-xen mailing list since somebody might be able to > provide better advice than me regarding network stuff. > > El 15/10/15 a les 12.31, Andreas Pflug ha escrit: >> Hi! >> >> For quite a while, I've been running several pfSense firewall DomUs up >> to version 2.15 on Xen. Since the FreeBSD kernel 8.3 of pfSense wasn't >> xen-aware the model e1000 was used, and I had all networking features as >> expected though performance was degraded. >> >> When the new pfSense 2.2 was introduced, the kernel changed to FreeBSD >> 10.1 which now (finally!) includes a xen netfront driver, promising a >> vastly improved performance. Unfortunately, its implementation is quite >> sketchy: >> - offloading issues, which can be worked around by disabling tx >> offloading using a custom vif-script > Is this related to the long-standing pf+TSO issues? There's a recent > commit that should solve it: > > https://svnweb.freebsd.org/base?view=revision&revision=289316 > > There seems to be plans to issue an EN for that one, so you might be > able to get it by just using freebsd-update (or whatever pfSense uses) > without having to wait for a new stable release. Yes, this seems to be the issue. > >> - VLANs are not supported. Can be achieved with multiple bridges in >> Dom0, if 8 are enough. If you need more, you're out of luck. >> - ALTQ not supported. No known workaround, preventing any traffic shaping. > Sadly I'm not aware of anyone working on this two items. Any pickers? > >> On the FreeBSD side, it is said that the xn xen netfront driver can't be >> disabled at boot time, unless a custom kernel is built (certainly not >> desirable regarding security updates), so: >> >> How can I disable xen-netback drivers for a specific HVM? It should >> respect the "model=e1000" setting (or maybe virtio?). I'm running Xen >> 4.4 on Debian. > I've recently committed a patch to HEAD in order to disable PV nics or > disks on request: > > https://svnweb.freebsd.org/base?view=revision&revision=286999 > > I will backport it to stable-10 soon to make sure it's on the next > stable release (FreeBSD 10.3). Apart from that, there's not much we can > do now. Ah, while that won't fix the xn driver, it will give us back the en driver. Hopefully it will find its way into pfSense's kernel, I'll drop a note over there. Regards, Andreas