On Netgraph

Tom Marcoen tom.marcoen at gmail.com
Mon Jun 8 13:36:57 UTC 2020 

Hey Jan,

I know about the vast performance improvements with if_bridge(4) (Thank
you, Kristof Provost), the problem with using it for jails is that once you
have a lot of jails, your hosts gets way too many epair interfaces in its
ifconfig, which I really do not like. So I would prefer using Netgraph.

I don't understand why is everythin doing everything they can _not_ to use
Netgraph?

On Mon, 8 Jun 2020 at 13:47, Jan Bramkamp <crest at rlwinm.de> wrote:

> On 27.05.20 10:06, Tom Marcoen wrote:
> > Hey all,
> >
> > I'm new to this mailing list and also quite new to FreeBSD (huray,
> welcome
> > to me!) so bare with me, please.
> >
> > I'm reading up on Netgraph on how I can integrate it with FreeBSD jails
> and
> > I was looking at some of the examples provided in
> > /usr/share/examples/netgraph and now have the following question.
> > The udp.tunnel example shows an iface point-to-point connection but it is
> > unencrypted. Of course I could encrypt it with an IPsec tunnel on the
> host
> > or tunnel it through SSH, but I was wondering whether there exists a nice
> > Netgraph solution, e.g. a node with two hooks, receiving unencrypted
> > traffic on the inside hook and sending out encrypted traffic on the
> outside
> > hook.
>
> Netgraph is a very flexible tool, but not needed for this. First of all
> if_bridge(4) just got a massive throughput gain by at least a factor of
> 5 in 13-current and 12-stable. Next you would be reinventing the wheel
> with ng_bridge and ng_ksocket to tunnel ethernet in UDP. As soon as you
> have more than two jail hosts you'll run into new problems.
>
> The canonical solution to your problem is VXLAN. This allows you to
> learn traffic to the unicast tunnel endpoint address for unicast cast
> traffic and multicast the rest. These encapsulations have been invented
> to allow emulate a shared layer 2 Ethernet networks per tennant. Unless
> your jails are VNET enabled and your jail admins require a shared layer
> 2 network you can avoid most of this overhead with dynamic routing. I
> know this sounds a lot like "your're holding it wrong". Your approach
> would work, but it would cripple performance unless you can wait for
> FreeBSD 12.2 and switch from netgraph to if_bridge(4). Routing is fast
> (enough) in the existing FreeBSD releases and in my opinion the cleaner
> solution, but it complicates hosting services expecting a shared layer 2
> e.g. mDNS and DLNA require either multicast routing or proxies.
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-net mailing list