On Netgraph
Jan Bramkamp
crest at rlwinm.de
Mon Jun 8 11:47:15 UTC 2020
On 27.05.20 10:06, Tom Marcoen wrote:
> Hey all,
>
> I'm new to this mailing list and also quite new to FreeBSD (huray, welcome
> to me!) so bare with me, please.
>
> I'm reading up on Netgraph on how I can integrate it with FreeBSD jails and
> I was looking at some of the examples provided in
> /usr/share/examples/netgraph and now have the following question.
> The udp.tunnel example shows an iface point-to-point connection but it is
> unencrypted. Of course I could encrypt it with an IPsec tunnel on the host
> or tunnel it through SSH, but I was wondering whether there exists a nice
> Netgraph solution, e.g. a node with two hooks, receiving unencrypted
> traffic on the inside hook and sending out encrypted traffic on the outside
> hook.
Netgraph is a very flexible tool, but not needed for this. First of all
if_bridge(4) just got a massive throughput gain by at least a factor of
5 in 13-current and 12-stable. Next you would be reinventing the wheel
with ng_bridge and ng_ksocket to tunnel ethernet in UDP. As soon as you
have more than two jail hosts you'll run into new problems.
The canonical solution to your problem is VXLAN. This allows you to
learn traffic to the unicast tunnel endpoint address for unicast cast
traffic and multicast the rest. These encapsulations have been invented
to allow emulate a shared layer 2 Ethernet networks per tennant. Unless
your jails are VNET enabled and your jail admins require a shared layer
2 network you can avoid most of this overhead with dynamic routing. I
know this sounds a lot like "your're holding it wrong". Your approach
would work, but it would cripple performance unless you can wait for
FreeBSD 12.2 and switch from netgraph to if_bridge(4). Routing is fast
(enough) in the existing FreeBSD releases and in my opinion the cleaner
solution, but it complicates hosting services expecting a shared layer 2
e.g. mDNS and DLNA require either multicast routing or proxies.
More information about the freebsd-net
mailing list