Date: Mon, 8 Jun 2020 13:47:05 +0200 From: Jan Bramkamp <crest@rlwinm.de> To: freebsd-net@freebsd.org Subject: Re: On Netgraph Message-ID: <00686a7c-1035-f214-bb93-4ea69bb97d5e@rlwinm.de> In-Reply-To: <CAJ-iVrNn=9-Z5YHG4j=adnFiiTbDLED6ArYh8j9Zepn0k8=6KA@mail.gmail.com> References: <CAJ-iVrNn=9-Z5YHG4j=adnFiiTbDLED6ArYh8j9Zepn0k8=6KA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27.05.20 10:06, Tom Marcoen wrote: > Hey all, > > I'm new to this mailing list and also quite new to FreeBSD (huray, welcome > to me!) so bare with me, please. > > I'm reading up on Netgraph on how I can integrate it with FreeBSD jails and > I was looking at some of the examples provided in > /usr/share/examples/netgraph and now have the following question. > The udp.tunnel example shows an iface point-to-point connection but it is > unencrypted. Of course I could encrypt it with an IPsec tunnel on the host > or tunnel it through SSH, but I was wondering whether there exists a nice > Netgraph solution, e.g. a node with two hooks, receiving unencrypted > traffic on the inside hook and sending out encrypted traffic on the outside > hook. Netgraph is a very flexible tool, but not needed for this. First of all if_bridge(4) just got a massive throughput gain by at least a factor of 5 in 13-current and 12-stable. Next you would be reinventing the wheel with ng_bridge and ng_ksocket to tunnel ethernet in UDP. As soon as you have more than two jail hosts you'll run into new problems. The canonical solution to your problem is VXLAN. This allows you to learn traffic to the unicast tunnel endpoint address for unicast cast traffic and multicast the rest. These encapsulations have been invented to allow emulate a shared layer 2 Ethernet networks per tennant. Unless your jails are VNET enabled and your jail admins require a shared layer 2 network you can avoid most of this overhead with dynamic routing. I know this sounds a lot like "your're holding it wrong". Your approach would work, but it would cripple performance unless you can wait for FreeBSD 12.2 and switch from netgraph to if_bridge(4). Routing is fast (enough) in the existing FreeBSD releases and in my opinion the cleaner solution, but it complicates hosting services expecting a shared layer 2 e.g. mDNS and DLNA require either multicast routing or proxies.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00686a7c-1035-f214-bb93-4ea69bb97d5e>