On 27.05.20 10:06, Tom Marcoen wrote:
Hey all,
I'm new to this mailing list and also quite new to FreeBSD (huray, welcome
to me!) so bare with me, please.
I'm reading up on Netgraph on how I can integrate it with FreeBSD jails and
I was looking at some of the examples provided in
/usr/share/examples/netgraph and now have the following question.
The udp.tunnel example shows an iface point-to-point connection but it is
unencrypted. Of course I could encrypt it with an IPsec tunnel on the host
or tunnel it through SSH, but I was wondering whether there exists a nice
Netgraph solution, e.g. a node with two hooks, receiving unencrypted
traffic on the inside hook and sending out encrypted traffic on the outside
hook.
Netgraph is a very flexible tool, but not needed for this. First of all
if_bridge(4) just got a massive throughput gain by at least a factor of
5 in 13-current and 12-stable. Next you would be reinventing the wheel
with ng_bridge and ng_ksocket to tunnel ethernet in UDP. As soon as you
have more than two jail hosts you'll run into new problems.
The canonical solution to your problem is VXLAN. This allows you to
learn traffic to the unicast tunnel endpoint address for unicast cast
traffic and multicast the rest. These encapsulations have been invented
to allow emulate a shared layer 2 Ethernet networks per tennant. Unless
your jails are VNET enabled and your jail admins require a shared layer
2 network you can avoid most of this overhead with dynamic routing. I
know this sounds a lot like "your're holding it wrong". Your approach
would work, but it would cripple performance unless you can wait for
FreeBSD 12.2 and switch from netgraph to if_bridge(4). Routing is fast
(enough) in the existing FreeBSD releases and in my opinion the cleaner
solution, but it complicates hosting services expecting a shared layer 2
e.g. mDNS and DLNA require either multicast routing or proxies.
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
