From owner-freebsd-net@freebsd.org Tue Jun 9 03:30:14 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C2165346E52 for ; Tue, 9 Jun 2020 03:30:14 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 49gwc64q9cz4Pnt for ; Tue, 9 Jun 2020 03:30:14 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (c-73-92-239-114.hsd1.ca.comcast.net [73.92.239.114]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id 0593U9XU080805 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 8 Jun 2020 20:30:10 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: On Netgraph To: Marko Zec , Tom Marcoen Cc: Jan Bramkamp , freebsd-net@freebsd.org References: <00686a7c-1035-f214-bb93-4ea69bb97d5e@rlwinm.de> <20200608160317.6966f6d4@x23> From: Julian Elischer Message-ID: Date: Mon, 8 Jun 2020 20:30:04 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.8.1 MIME-Version: 1.0 In-Reply-To: <20200608160317.6966f6d4@x23> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Rspamd-Queue-Id: 49gwc64q9cz4Pnt X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [0.00 / 15.00]; local_wl_from(0.00)[freebsd.org]; TAGGED_RCPT(0.00)[]; ASN(0.00)[asn:36236, ipnet:204.109.60.0/22, country:US] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jun 2020 03:30:14 -0000 On 6/8/20 7:03 AM, Marko Zec wrote: > On Mon, 8 Jun 2020 15:36:42 +0200 > Tom Marcoen wrote: > >> Hey Jan, >> >> I know about the vast performance improvements with if_bridge(4) >> (Thank you, Kristof Provost), the problem with using it for jails is >> that once you have a lot of jails, your hosts gets way too many epair >> interfaces in its ifconfig, which I really do not like. So I would >> prefer using Netgraph. >> >> I don't understand why is everythin doing everything they can _not_ >> to use Netgraph? > Netgraph is very cool and underrated indeed. A part of the problem > might be that people may find it easier to construct if_bridge > configurations, than to spend some time learning how to establish the > same functionality using netgraph, which requires a few more steps. I > was one of such lazy persons myself... > > But a more down-to-the-earth problem with ng_bridge may be that it is > single-threaded (look around line 319 in sys/netgraph/ng_bridge.c), > which most likely is going to make it less performant than if_bridge > (after recent improvements) Since netgraph was written in 1996 it as required only one rework to add some support for multi-threading so possibly after 24 years we may need to change a few lines... :-) >> On Mon, 8 Jun 2020 at 13:47, Jan Bramkamp wrote: >> >>> On 27.05.20 10:06, Tom Marcoen wrote: >>>> Hey all, >>>> >>>> I'm new to this mailing list and also quite new to FreeBSD >>>> (huray, >>> welcome >>>> to me!) so bare with me, please. >>>> >>>> I'm reading up on Netgraph on how I can integrate it with FreeBSD >>>> jails >>> and >>>> I was looking at some of the examples provided in >>>> /usr/share/examples/netgraph and now have the following question. >>>> The udp.tunnel example shows an iface point-to-point connection >>>> but it is unencrypted. Of course I could encrypt it with an IPsec >>>> tunnel on the >>> host >>>> or tunnel it through SSH, but I was wondering whether there >>>> exists a nice Netgraph solution, e.g. a node with two hooks, >>>> receiving unencrypted traffic on the inside hook and sending out >>>> encrypted traffic on the >>> outside >>>> hook. >>> Netgraph is a very flexible tool, but not needed for this. First of >>> all if_bridge(4) just got a massive throughput gain by at least a >>> factor of 5 in 13-current and 12-stable. Next you would be >>> reinventing the wheel with ng_bridge and ng_ksocket to tunnel >>> ethernet in UDP. As soon as you have more than two jail hosts >>> you'll run into new problems. >>> >>> The canonical solution to your problem is VXLAN. This allows you to >>> learn traffic to the unicast tunnel endpoint address for unicast >>> cast traffic and multicast the rest. These encapsulations have been >>> invented to allow emulate a shared layer 2 Ethernet networks per >>> tennant. Unless your jails are VNET enabled and your jail admins >>> require a shared layer 2 network you can avoid most of this >>> overhead with dynamic routing. I know this sounds a lot like >>> "your're holding it wrong". Your approach would work, but it would >>> cripple performance unless you can wait for FreeBSD 12.2 and switch >>> from netgraph to if_bridge(4). Routing is fast (enough) in the >>> existing FreeBSD releases and in my opinion the cleaner solution, >>> but it complicates hosting services expecting a shared layer 2 e.g. >>> mDNS and DLNA require either multicast routing or proxies. >>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to >>> "freebsd-net-unsubscribe@freebsd.org" >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"