From owner-freebsd-net@freebsd.org  Mon Jun  8 13:36:57 2020
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5C3F432F662
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Mon,  8 Jun 2020 13:36:57 +0000 (UTC)
 (envelope-from tom.marcoen@gmail.com)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com
 [IPv6:2a00:1450:4864:20::131])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 49gZ6c2RHMz4WYm
 for <freebsd-net@freebsd.org>; Mon,  8 Jun 2020 13:36:56 +0000 (UTC)
 (envelope-from tom.marcoen@gmail.com)
Received: by mail-lf1-x131.google.com with SMTP id c21so10224846lfb.3
 for <freebsd-net@freebsd.org>; Mon, 08 Jun 2020 06:36:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=R+m14Y7ZtAA5TquQ6Iu5lvd52V3uEsksrALuWDVtG6E=;
 b=QZ2xFnvUDAsMVDV/b7KAkQ1JDR7LpIMd3RUAC6uIB33trWmeN/FlaXbWsKmHCVOwQw
 Jb/bshIByLfNld0GQ8R/khGvzezzpwaVN1v/uivZHRvc+KN+JoXBgU+gLWCHpjawFIZA
 E58yi+L552tUWrljlipr189xw70dVOuW/a8cE5yzgo75IQT/t4Iq/6H/a0gDNBjLj03e
 icMpgTwTJ9Vr4HUWiXddHlfBZ90M91f9oz9GoLpXsjgS7VkbzJE98Xw0FKUWR7wW+5L8
 7j9670RfOg/Xr2GC2Eztcd9SVF3agWvEi9YebmJnty1ApPcBAv3rmQfSylV2zuHtl2Kk
 xDXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=R+m14Y7ZtAA5TquQ6Iu5lvd52V3uEsksrALuWDVtG6E=;
 b=CZFeaSlsaaMWSxp0ePvHR55YJHFRj427Xf2ziozXQz5nqnkPBRrMBqAOSPHKKxoEcY
 vax1noQjBZp8P8DskpDeC/xrdegO18XzfsfD1c1aZn4d1ZqsCK9zMFO8Mhk0gG3qTiw7
 x9zpcP0IYZOhYZtT3ALYNWKwEoBdSdH7OyT/GVEXtS1uVD9UuC15AwaMi6+IT2cJ/9Se
 NClqyTRugoYzwEpPAHPP0pgVktA5n2VdlHLiCmsz4D4+eAuxpBTapDEGRmhijHsyECY9
 CVMv6I24zKYRJOH5noW6YPduhnfao6nfzPnh8XIZiFQlAS6wSOS7Geaq94S8Sccho3G4
 w+HQ==
X-Gm-Message-State: AOAM5316H6JtlAyYzhcXWFybByPslfGUBOuPc4ZfUFgDarXFqypEPPiL
 gUWp2GCesdLQq/AFZXElLV/kC669GiPblzVuZuWHRTjp
X-Google-Smtp-Source: ABdhPJw8ZPMLJdxNpCQHUT/LK4x94xQtiAs0xRKv+X8XfNgUl2vlWxXoGJeA21o2R4juiYYYVFVYCHsfeK/syCN6G8U=
X-Received: by 2002:a05:6512:686:: with SMTP id
 t6mr13183337lfe.154.1591623414201; 
 Mon, 08 Jun 2020 06:36:54 -0700 (PDT)
MIME-Version: 1.0
References: <CAJ-iVrNn=9-Z5YHG4j=adnFiiTbDLED6ArYh8j9Zepn0k8=6KA@mail.gmail.com>
 <00686a7c-1035-f214-bb93-4ea69bb97d5e@rlwinm.de>
In-Reply-To: <00686a7c-1035-f214-bb93-4ea69bb97d5e@rlwinm.de>
From: Tom Marcoen <tom.marcoen@gmail.com>
Date: Mon, 8 Jun 2020 15:36:42 +0200
Message-ID: <CAJ-iVrPWaP32S+S+bq52Q1S7U0EsVXrJTF1RSU_DyMF=jnA1+A@mail.gmail.com>
Subject: Re: On Netgraph
To: Jan Bramkamp <crest@rlwinm.de>
Cc: freebsd-net@freebsd.org
X-Rspamd-Queue-Id: 49gZ6c2RHMz4WYm
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=QZ2xFnvU;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of tommarcoen@gmail.com designates
 2a00:1450:4864:20::131 as permitted sender)
 smtp.mailfrom=tommarcoen@gmail.com
X-Spamd-Result: default: False [-2.95 / 15.00]; RCVD_TLS_ALL(0.00)[];
 ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025];
 NEURAL_HAM_MEDIUM(-1.06)[-1.060]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com];
 R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org];
 NEURAL_HAM_LONG(-1.03)[-1.034]; NEURAL_SPAM_SHORT(0.15)[0.145];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+];
 RCPT_COUNT_TWO(0.00)[2];
 RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::131:from];
 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~];
 FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2];
 ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
 TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.33
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2020 13:36:57 -0000

Hey Jan,

I know about the vast performance improvements with if_bridge(4) (Thank
you, Kristof Provost), the problem with using it for jails is that once you
have a lot of jails, your hosts gets way too many epair interfaces in its
ifconfig, which I really do not like. So I would prefer using Netgraph.

I don't understand why is everythin doing everything they can _not_ to use
Netgraph?

On Mon, 8 Jun 2020 at 13:47, Jan Bramkamp <crest@rlwinm.de> wrote:

> On 27.05.20 10:06, Tom Marcoen wrote:
> > Hey all,
> >
> > I'm new to this mailing list and also quite new to FreeBSD (huray,
> welcome
> > to me!) so bare with me, please.
> >
> > I'm reading up on Netgraph on how I can integrate it with FreeBSD jails
> and
> > I was looking at some of the examples provided in
> > /usr/share/examples/netgraph and now have the following question.
> > The udp.tunnel example shows an iface point-to-point connection but it is
> > unencrypted. Of course I could encrypt it with an IPsec tunnel on the
> host
> > or tunnel it through SSH, but I was wondering whether there exists a nice
> > Netgraph solution, e.g. a node with two hooks, receiving unencrypted
> > traffic on the inside hook and sending out encrypted traffic on the
> outside
> > hook.
>
> Netgraph is a very flexible tool, but not needed for this. First of all
> if_bridge(4) just got a massive throughput gain by at least a factor of
> 5 in 13-current and 12-stable. Next you would be reinventing the wheel
> with ng_bridge and ng_ksocket to tunnel ethernet in UDP. As soon as you
> have more than two jail hosts you'll run into new problems.
>
> The canonical solution to your problem is VXLAN. This allows you to
> learn traffic to the unicast tunnel endpoint address for unicast cast
> traffic and multicast the rest. These encapsulations have been invented
> to allow emulate a shared layer 2 Ethernet networks per tennant. Unless
> your jails are VNET enabled and your jail admins require a shared layer
> 2 network you can avoid most of this overhead with dynamic routing. I
> know this sounds a lot like "your're holding it wrong". Your approach
> would work, but it would cripple performance unless you can wait for
> FreeBSD 12.2 and switch from netgraph to if_bridge(4). Routing is fast
> (enough) in the existing FreeBSD releases and in my opinion the cleaner
> solution, but it complicates hosting services expecting a shared layer 2
> e.g. mDNS and DLNA require either multicast routing or proxies.
>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>