On Mon, 8 Jun 2020 15:36:42 +0200 Tom Marcoen <tom.marc...@gmail.com> wrote:
> Hey Jan, > > I know about the vast performance improvements with if_bridge(4) > (Thank you, Kristof Provost), the problem with using it for jails is > that once you have a lot of jails, your hosts gets way too many epair > interfaces in its ifconfig, which I really do not like. So I would > prefer using Netgraph. > > I don't understand why is everythin doing everything they can _not_ > to use Netgraph? Netgraph is very cool and underrated indeed. A part of the problem might be that people may find it easier to construct if_bridge configurations, than to spend some time learning how to establish the same functionality using netgraph, which requires a few more steps. I was one of such lazy persons myself... But a more down-to-the-earth problem with ng_bridge may be that it is single-threaded (look around line 319 in sys/netgraph/ng_bridge.c), which most likely is going to make it less performant than if_bridge (after recent improvements) > > On Mon, 8 Jun 2020 at 13:47, Jan Bramkamp <cr...@rlwinm.de> wrote: > > > On 27.05.20 10:06, Tom Marcoen wrote: > > > Hey all, > > > > > > I'm new to this mailing list and also quite new to FreeBSD > > > (huray, > > welcome > > > to me!) so bare with me, please. > > > > > > I'm reading up on Netgraph on how I can integrate it with FreeBSD > > > jails > > and > > > I was looking at some of the examples provided in > > > /usr/share/examples/netgraph and now have the following question. > > > The udp.tunnel example shows an iface point-to-point connection > > > but it is unencrypted. Of course I could encrypt it with an IPsec > > > tunnel on the > > host > > > or tunnel it through SSH, but I was wondering whether there > > > exists a nice Netgraph solution, e.g. a node with two hooks, > > > receiving unencrypted traffic on the inside hook and sending out > > > encrypted traffic on the > > outside > > > hook. > > > > Netgraph is a very flexible tool, but not needed for this. First of > > all if_bridge(4) just got a massive throughput gain by at least a > > factor of 5 in 13-current and 12-stable. Next you would be > > reinventing the wheel with ng_bridge and ng_ksocket to tunnel > > ethernet in UDP. As soon as you have more than two jail hosts > > you'll run into new problems. > > > > The canonical solution to your problem is VXLAN. This allows you to > > learn traffic to the unicast tunnel endpoint address for unicast > > cast traffic and multicast the rest. These encapsulations have been > > invented to allow emulate a shared layer 2 Ethernet networks per > > tennant. Unless your jails are VNET enabled and your jail admins > > require a shared layer 2 network you can avoid most of this > > overhead with dynamic routing. I know this sounds a lot like > > "your're holding it wrong". Your approach would work, but it would > > cripple performance unless you can wait for FreeBSD 12.2 and switch > > from netgraph to if_bridge(4). Routing is fast (enough) in the > > existing FreeBSD releases and in my opinion the cleaner solution, > > but it complicates hosting services expecting a shared layer 2 e.g. > > mDNS and DLNA require either multicast routing or proxies. > > > > _______________________________________________ > > freebsd-net@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe, send any mail to > > "freebsd-net-unsubscr...@freebsd.org" > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
