Hey Jan, I know about the vast performance improvements with if_bridge(4) (Thank you, Kristof Provost), the problem with using it for jails is that once you have a lot of jails, your hosts gets way too many epair interfaces in its ifconfig, which I really do not like. So I would prefer using Netgraph.
I don't understand why is everythin doing everything they can _not_ to use Netgraph? On Mon, 8 Jun 2020 at 13:47, Jan Bramkamp <cr...@rlwinm.de> wrote: > On 27.05.20 10:06, Tom Marcoen wrote: > > Hey all, > > > > I'm new to this mailing list and also quite new to FreeBSD (huray, > welcome > > to me!) so bare with me, please. > > > > I'm reading up on Netgraph on how I can integrate it with FreeBSD jails > and > > I was looking at some of the examples provided in > > /usr/share/examples/netgraph and now have the following question. > > The udp.tunnel example shows an iface point-to-point connection but it is > > unencrypted. Of course I could encrypt it with an IPsec tunnel on the > host > > or tunnel it through SSH, but I was wondering whether there exists a nice > > Netgraph solution, e.g. a node with two hooks, receiving unencrypted > > traffic on the inside hook and sending out encrypted traffic on the > outside > > hook. > > Netgraph is a very flexible tool, but not needed for this. First of all > if_bridge(4) just got a massive throughput gain by at least a factor of > 5 in 13-current and 12-stable. Next you would be reinventing the wheel > with ng_bridge and ng_ksocket to tunnel ethernet in UDP. As soon as you > have more than two jail hosts you'll run into new problems. > > The canonical solution to your problem is VXLAN. This allows you to > learn traffic to the unicast tunnel endpoint address for unicast cast > traffic and multicast the rest. These encapsulations have been invented > to allow emulate a shared layer 2 Ethernet networks per tennant. Unless > your jails are VNET enabled and your jail admins require a shared layer > 2 network you can avoid most of this overhead with dynamic routing. I > know this sounds a lot like "your're holding it wrong". Your approach > would work, but it would cripple performance unless you can wait for > FreeBSD 12.2 and switch from netgraph to if_bridge(4). Routing is fast > (enough) in the existing FreeBSD releases and in my opinion the cleaner > solution, but it complicates hosting services expecting a shared layer 2 > e.g. mDNS and DLNA require either multicast routing or proxies. > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
