From owner-freebsd-pf@freebsd.org Sat Dec 23 13:12:03 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2B08EEA56F1; Sat, 23 Dec 2017 13:12:03 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id CBF103AA3; Sat, 23 Dec 2017 13:12:02 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 7072025D3A6F; Sat, 23 Dec 2017 13:11:54 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id A36C7D1F86C; Sat, 23 Dec 2017 13:11:53 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id o_N6HaD3ToTQ; Sat, 23 Dec 2017 13:11:51 +0000 (UTC) Received: from [192.168.1.224] (unknown [IPv6:fde9:577b:c1a9:f001::2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 1949BD1F7F6; Sat, 23 Dec 2017 13:11:49 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Michael Grimm" Cc: freebsd-net@freebsd.org, freebsd-pf@FreeBSD.org Subject: Re: performance issue within VNET jail Date: Sat, 23 Dec 2017 13:11:40 +0000 X-Mailer: MailMate (2.0BETAr6102) Message-ID: In-Reply-To: <53687746-C487-4712-AA52-DE86CE70FDEF@ellael.org> References: <4F5EE3F6-0163-4435-8726-56B0D4AE9FAF@ellael.org> <8102F5FD-DCFC-4EF8-A443-9E6C9EB1F467@ellael.org> <8C8A172B-4D4F-4066-8B94-EF5F59E2D345@ellael.org> <5A3D67EC.6010907@grosbein.net> <53687746-C487-4712-AA52-DE86CE70FDEF@ellael.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Dec 2017 13:12:03 -0000 On 22 Dec 2017, at 20:30, Michael Grimm wrote: > Hi — > > [ I am including freebsd-pf@FreeBSD.org now and removing > freebsd-jail@FreeBSD.org ] > [ Thread starts at > https://lists.freebsd.org/pipermail/freebsd-net/2017-December/049470.html > ] >>> >>> (#) there is a *dramatic* performance loss (TCP) when: >>> >>> (-) fetching files from outside through PF/extIF via bridge to jail … >>> >>> Thanks for your suggestions so far, but I am lost here. Any ideas? >> >> It seems to me some kind of bug in the PF. >> I personally never tried it, I use ipfw and it works just fine. > > Before testing IPFW (which I have never used before) I'd like to ask > the experts in freebsd-pf@FreeBSD.org about possible tests/tweaks > regarding PF. OK, too complicated setups; I am not getting it fully. Can you please just describe the one case that doesn’t work well in all detail and ignore all the others for a moment? (a) what’s the external host interface? (b) pf runs on the base system? (c) you are bridging into a VNET-jail? How exactly? Are you bridging to epairs? (d) where exactly are you NATing? (e) why are you bridging and NATing? That makes little sense to me. Couldn’t you NAT and forward or just bridge? (f) what’s inside the VNET jail? Another pf or anything? (g) out of curiosity, does dmesg on the base system indicate anything? To understand your performance problem better: (1) you are doing a fetch of a rather large file to test from within the VNET jail? Or what are you fetching? Are you using fetch? (2) if you fetch from within the same VNET jail does that perform? (3) if you fetch something to the VNET jail from the base system just going through your internal setup but not leaving the machine, does that still perform? (4) if you fetch something to the VNET jail from the same LAN (if possible to test) does that perform? (5) if you fetch something to the VNET jail from a close by location does that make a difference to something on the other side of the planet? /bz