From owner-freebsd-net@freebsd.org Mon Jun 8 14:03:19 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0117A3304E8 for ; Mon, 8 Jun 2020 14:03:19 +0000 (UTC) (envelope-from zec@fer.hr) Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0620.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::620]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49gZj15lLtz4bDR for ; Mon, 8 Jun 2020 14:03:17 +0000 (UTC) (envelope-from zec@fer.hr) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lKlaIMJCzt+VWSi9PYTAaxWXKHuvzmeYfuSMF/I6Obpx+4YKom95vbs4MiUaSv+J0cgFvBdxz64DoRP5pSe82GGxfPKA3KgqYUfAuSXJW8y8v94ru7HtlAVuLW6VWa4rTvZuXvVBVq/ueS8eYk0T9kTLVlVNejrMyzIP9nCHG9IGd7Ir//2UAnuuffKZuiiVsNbpCUF+zWOKF7l34H2dcv9DuqPo+9sP+SBsGB3NHZXh1mA2s6dX6ZjMmDLG6jqPJbmqUZbsvm48+SaD/6kfQrQOqLx5JL8I/LbIb8fpDlmvXu3oqrEUjCU4q8ZEhSdDv7bE0ngY02LdD/LgkdQnMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VBy6jDjZ1EzhsmTstlqjOnxQ+KTY8APU4mOu1gP7Fwc=; b=Hzd80zpxzxoyZGQEkTxoNGbYJDMcQz3E/WOunjJnJO+x32vNl255Rudeh6u5DudSu1PJMS+TGQWmId7XBxGspTV8Ch6g794SJBB0kiAq2QruM2cmTvchYJm/46sEbwfzvvyONNXdGQ2NOyeYjjoFHWy8AnwHj1vC4/5I60CBnl8ujKT+wUiBqfFYfgzu99CR6OD6mSqUHfFt9+crz99UZhlTZ/baGQT1zS1cUtMBLLSn9Yq3gDnATqoe/515oNA7m9ExEZgwuuV5hoaUuCKINKy84vC7vRhovvfMmQfs5NAr5uBm6IHTWkQ8aI6GbJ8hYsJzCC7t4ms89KWHFWBCJg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=fer.hr; dmarc=pass action=none header.from=fer.hr; dkim=pass header.d=fer.hr; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ferhr.onmicrosoft.com; s=selector2-ferhr-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VBy6jDjZ1EzhsmTstlqjOnxQ+KTY8APU4mOu1gP7Fwc=; b=NsUJ4iT4DItZ+zuIvagZ2s6icYB6jW5D6lhiR6nxETiRy75Y+Bsytxa7ROsaUg668JdHeyk99UrLs5wq9Vo/Xgd5i1fnXQC+h0s3mxp2q27O8K/7K9Xwzjp1vbboocp/9oz6CDakd7lw0lVTHeVxAFkA7ARg14hadbHfQwLjYcc= Received: from VE1PR08MB4783.eurprd08.prod.outlook.com (2603:10a6:802:a9::16) by VE1PR08MB4912.eurprd08.prod.outlook.com (2603:10a6:802:a9::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18; Mon, 8 Jun 2020 14:03:15 +0000 Received: from VE1PR08MB4783.eurprd08.prod.outlook.com ([fe80::e163:4cd3:92ac:977c]) by VE1PR08MB4783.eurprd08.prod.outlook.com ([fe80::e163:4cd3:92ac:977c%6]) with mapi id 15.20.3066.023; Mon, 8 Jun 2020 14:03:15 +0000 Date: Mon, 8 Jun 2020 16:03:17 +0200 From: Marko Zec To: Tom Marcoen Cc: Jan Bramkamp , freebsd-net@freebsd.org Subject: Re: On Netgraph Message-ID: <20200608160317.6966f6d4@x23> In-Reply-To: References: <00686a7c-1035-f214-bb93-4ea69bb97d5e@rlwinm.de> X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; amd64-portbld-freebsd11.3) Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-ClientProxiedBy: VI1PR09CA0181.eurprd09.prod.outlook.com (2603:10a6:800:120::35) To VE1PR08MB4783.eurprd08.prod.outlook.com (2603:10a6:802:a9::16) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from x23 (31.147.111.6) by VI1PR09CA0181.eurprd09.prod.outlook.com (2603:10a6:800:120::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18 via Frontend Transport; Mon, 8 Jun 2020 14:03:14 +0000 X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; amd64-portbld-freebsd11.3) X-Originating-IP: [31.147.111.6] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 08e1e21a-202d-4d35-11f5-08d80bb4b01d X-MS-TrafficTypeDiagnostic: VE1PR08MB4912: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-Forefront-PRVS: 042857DBB5 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: d/ziSbHngjTq2VEmX/pRsqNBfN1sQXKyXZp2/rg3OKiUYHGH+vqpx8VGw+l9o1BATN4Z6ul3BRO/HN7XW2dx4CQ4AwcOuHV9VieJMwI4FNiQj51Gh5EOhmV3BYKjvBVnVqcTbaEjm2paz5Y3Ufg2RZKaayAdv3pKBErQKv8qB3qdp+/TjsKtEhsk2FfZf6GrlV42giCRxkmNR9Zy3UojHaovVUfBMMqYK4il/Nfy1GFZ8F/O+nokqCypo9468S40bQBpL6c1LTVx1kwMTkHQmxv/LbScHN0TmBBk21xGUvUjCqLEL5JfMiR69GILUCNxWmKjL2f65LnfG4eVTMG4Ldi+ZUM00pTXotJaH1GsVeFIX/OV3n1cAiMY32COkCqkUzdYrmHDN41mNiiXSgklXQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VE1PR08MB4783.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(39850400004)(346002)(376002)(396003)(136003)(786003)(7116003)(2906002)(316002)(186003)(5660300002)(26005)(6916009)(55016002)(53546011)(66946007)(66556008)(9686003)(16526019)(66476007)(8676002)(3480700007)(4326008)(966005)(478600001)(6496006)(86362001)(9576002)(8936002)(33716001)(956004)(83380400001)(52116002)(1076003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData: 6/DLeWirhHiBcig99LwuHfDtCl31SqXBdVZMkjhx9VibGcEEL3lNw9J6t6zba4HDM4msr2smpr2bmZQtME8ag/0cRKvyP+mbw0psgk+xED7PaULW7VKIhH3ZuZ72BeoKEZtWS1YyoZYMTdfXhZi+1MlJB40LIY0tjCJPRmsmAK3uFBVTlYMUgJixtF3UAmCHIj+Z5bMjeQi6YJQ0PVfCV6q92FRJg2g1kbnZaCz3kQjQob4z+FelerttMitoQyKhEugZ1FxZVkSAKkQdaGK8RQlx/2tjaOulCwqNKoYsRl9Y3TLPoEgAQw81WAhLPZZv345jhN/U2SxbdqIWVFelNmhis95frVB8zLzGydoS/5F75W+6GwXkDUPkLMfOkxTWvVeVK48rQVfRuHCcQtoPs0g1JmjteOz5sBhVmq+4bpMlZrC2L5+zsZSosvbt0E6MU7jMMgZ+P+WurjDyFLIOdWgVNsnIGYezXBvF8Set9dQ= X-OriginatorOrg: fer.hr X-MS-Exchange-CrossTenant-Network-Message-Id: 08e1e21a-202d-4d35-11f5-08d80bb4b01d X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Jun 2020 14:03:15.2407 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: ca71eddc-cc7b-4e5b-95bd-55b658e696be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 8Wlu+gRxUGpRGWTxv0Pmolt+ObGLWdhuf1g9VYx4Z++rUhaD5nlz67AaFd1Hno1N X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR08MB4912 X-Rspamd-Queue-Id: 49gZj15lLtz4bDR X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ferhr.onmicrosoft.com header.s=selector2-ferhr-onmicrosoft-com header.b=NsUJ4iT4; dmarc=none; spf=pass (mx1.freebsd.org: domain of zec@fer.hr designates 2a01:111:f400:fe0e::620 as permitted sender) smtp.mailfrom=zec@fer.hr X-Spamd-Result: default: False [-3.52 / 15.00]; NEURAL_HAM_MEDIUM(-1.03)[-1.026]; R_DKIM_ALLOW(-0.20)[ferhr.onmicrosoft.com:s=selector2-ferhr-onmicrosoft-com]; HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[fer.hr]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; NEURAL_HAM_LONG(-1.11)[-1.106]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[ferhr.onmicrosoft.com:+]; NEURAL_HAM_SHORT(-0.29)[-0.293]; RECEIVED_SPAMHAUS_PBL(0.00)[31.147.111.6:received]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_IN_DNSWL_LOW(-0.10)[2a01:111:f400:fe0e::620:from] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jun 2020 14:03:19 -0000 On Mon, 8 Jun 2020 15:36:42 +0200 Tom Marcoen wrote: > Hey Jan, > > I know about the vast performance improvements with if_bridge(4) > (Thank you, Kristof Provost), the problem with using it for jails is > that once you have a lot of jails, your hosts gets way too many epair > interfaces in its ifconfig, which I really do not like. So I would > prefer using Netgraph. > > I don't understand why is everythin doing everything they can _not_ > to use Netgraph? Netgraph is very cool and underrated indeed. A part of the problem might be that people may find it easier to construct if_bridge configurations, than to spend some time learning how to establish the same functionality using netgraph, which requires a few more steps. I was one of such lazy persons myself... But a more down-to-the-earth problem with ng_bridge may be that it is single-threaded (look around line 319 in sys/netgraph/ng_bridge.c), which most likely is going to make it less performant than if_bridge (after recent improvements) > > On Mon, 8 Jun 2020 at 13:47, Jan Bramkamp wrote: > > > On 27.05.20 10:06, Tom Marcoen wrote: > > > Hey all, > > > > > > I'm new to this mailing list and also quite new to FreeBSD > > > (huray, > > welcome > > > to me!) so bare with me, please. > > > > > > I'm reading up on Netgraph on how I can integrate it with FreeBSD > > > jails > > and > > > I was looking at some of the examples provided in > > > /usr/share/examples/netgraph and now have the following question. > > > The udp.tunnel example shows an iface point-to-point connection > > > but it is unencrypted. Of course I could encrypt it with an IPsec > > > tunnel on the > > host > > > or tunnel it through SSH, but I was wondering whether there > > > exists a nice Netgraph solution, e.g. a node with two hooks, > > > receiving unencrypted traffic on the inside hook and sending out > > > encrypted traffic on the > > outside > > > hook. > > > > Netgraph is a very flexible tool, but not needed for this. First of > > all if_bridge(4) just got a massive throughput gain by at least a > > factor of 5 in 13-current and 12-stable. Next you would be > > reinventing the wheel with ng_bridge and ng_ksocket to tunnel > > ethernet in UDP. As soon as you have more than two jail hosts > > you'll run into new problems. > > > > The canonical solution to your problem is VXLAN. This allows you to > > learn traffic to the unicast tunnel endpoint address for unicast > > cast traffic and multicast the rest. These encapsulations have been > > invented to allow emulate a shared layer 2 Ethernet networks per > > tennant. Unless your jails are VNET enabled and your jail admins > > require a shared layer 2 network you can avoid most of this > > overhead with dynamic routing. I know this sounds a lot like > > "your're holding it wrong". Your approach would work, but it would > > cripple performance unless you can wait for FreeBSD 12.2 and switch > > from netgraph to if_bridge(4). Routing is fast (enough) in the > > existing FreeBSD releases and in my opinion the cleaner solution, > > but it complicates hosting services expecting a shared layer 2 e.g. > > mDNS and DLNA require either multicast routing or proxies. > > > > _______________________________________________ > > freebsd-net@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe, send any mail to > > "freebsd-net-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"