Date: Fri, 22 Dec 2017 21:30:35 +0100 From: Michael Grimm <trashcan@ellael.org> To: freebsd-net@freebsd.org, freebsd-pf@FreeBSD.org Cc: Eugene Grosbein <eugen@grosbein.net> Subject: Re: performance issue within VNET jail Message-ID: <53687746-C487-4712-AA52-DE86CE70FDEF@ellael.org> In-Reply-To: <5A3D67EC.6010907@grosbein.net> References: <4F5EE3F6-0163-4435-8726-56B0D4AE9FAF@ellael.org> <B6446660-9FD2-4C28-A3A2-8AC99624C7FF@sigsegv.be> <8102F5FD-DCFC-4EF8-A443-9E6C9EB1F467@ellael.org> <DB5DE737-7171-4953-AF98-45F1BE7AF09E@sigsegv.be> <8C8A172B-4D4F-4066-8B94-EF5F59E2D345@ellael.org> <5A3D67EC.6010907@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi =E2=80=94 [ I am including freebsd-pf@FreeBSD.org now and removing = freebsd-jail@FreeBSD.org ] [ Thread starts at = https://lists.freebsd.org/pipermail/freebsd-net/2017-December/049470.html = ] Eugene Grosbein <eugen@grosbein.net> wrote: > Michael Grimm wrote: >> Kristof Provost <kristof@sigsegv.be> wrote: >>> I run a very similar setup (although on CURRENT), and see no = performance issues from my jails. >>=20 >> In utter despair I did upgrade one server to CURRENT (#327076) today, = but that hasn't been successful :-( >>=20 >> Ok, right now I do know: >>=20 >> (#) there is *no* performance loss (TCP) when: >>=20 >> (-) fetching files from outside through PF/extIF to host >> (-) fetching files from partner server host via IPSEC tunnel = bound to extIF (ESP) to host >> (-) fetching files from partner server host via IPSEC tunnel = bound to extIF (ESP) to jail via bridge >> (-) fetching files from partner server jail via bridge and then = via IPSEC tunnel bound to extIF (ESP) to host >> (-) fetching files from partner server jail via bridge and then = via IPSEC tunnel bound to extIF (ESP) and then via bridge to jail >>=20 >> (#) there is a *dramatic* performance loss (TCP) when: >>=20 >> (-) fetching files from outside through PF/extIF via bridge to = jail >>=20 >> (#) I did try to tweak the following settings *without* success: >>=20 >> (-) sysctl net.inet.tcp.tso=3D0=20 >> (-) sysctl net.link.bridge.pfil_onlyip=3D0 >> (-) sysctl net.link.bridge.pfil_bridge=3D0 >> (-) sysctl net.link.bridge.pfil_member=3D0=20 >> (-) reducing mtu to 1400 (1490 before) on all interfaces extIF, = bridge, epairXs >> (-) deactivating "scrub in all" and "scrub out on $extIF all = random-id" in /etc/pf.conf >> (-) setting "set require-order yes" and "set require-order no" = in /etc/pf.conf [1] >>=20 >> [1] I do see more a lot of out-of-order packages within a jail = "netstat -s -p tcp" after those slow downloads, but not after downloads = via IPSEC tunnel from partner host. >>=20 >> That leads me to the conclusions: >>=20 >> (#) the bridge is not to blame >> (#) it's either the PF/NATing or something else, right? >>=20 >> Thanks for your suggestions so far, but I am lost here. Any ideas? >=20 > It seems to me some kind of bug in the PF. > I personally never tried it, I use ipfw and it works just fine. Before testing IPFW (which I have never used before) I'd like to ask the = experts in freebsd-pf@FreeBSD.org about possible tests/tweaks regarding = PF. Thanks to all involved so far and regards, Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53687746-C487-4712-AA52-DE86CE70FDEF>