performance issue within VNET jail

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Sat Dec 23 13:12:03 UTC 2017 

On 22 Dec 2017, at 20:30, Michael Grimm wrote:

> Hi —
>
> [  I am including freebsd-pf at FreeBSD.org now and removing 
> freebsd-jail at FreeBSD.org             ]
> [  Thread starts at 
> https://lists.freebsd.org/pipermail/freebsd-net/2017-December/049470.html 
>  ]
>>>
>>> (#) there is a *dramatic* performance loss (TCP) when:
>>>
>>> 	(-) fetching files from outside through PF/extIF via bridge to jail
…
>>>
>>> Thanks for your suggestions so far, but I am lost here. Any ideas?
>>
>> It seems to me some kind of bug in the PF.
>> I personally never tried it, I use ipfw and it works just fine.
>
> Before testing IPFW (which I have never used before) I'd like to ask 
> the experts in freebsd-pf at FreeBSD.org about possible tests/tweaks 
> regarding PF.


OK, too complicated setups; I am not getting it fully.
Can you please just describe the one case that doesn’t work well in 
all detail and ignore all the others for a moment?

(a) what’s the external host interface?
(b) pf runs on the base system?
(c) you are bridging into a VNET-jail?  How exactly?  Are you bridging 
to epairs?
(d) where exactly are you NATing?
(e) why are you bridging and NATing?  That makes little sense to me.  
Couldn’t you NAT and forward or just bridge?
(f) what’s inside the VNET jail?  Another pf or anything?
(g) out of curiosity, does dmesg on the base system indicate anything?


To understand your performance problem better:

(1) you are doing a fetch of a rather large file to test from within the 
VNET jail?  Or what are you fetching?  Are you using fetch?
(2) if you fetch from within the same VNET jail does that perform?
(3) if you fetch something to the VNET jail from the base system just 
going through your internal setup but not leaving the machine, does that 
still perform?
(4) if you fetch something to the VNET jail from the same LAN (if 
possible to test) does that perform?
(5) if you fetch something to the VNET jail from a close by location 
does that make a difference to something on the other side of the 
planet?


/bz

More information about the freebsd-pf mailing list