Date: Sat, 23 Dec 2017 13:11:40 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: "Michael Grimm" <trashcan@ellael.org> Cc: freebsd-net@freebsd.org, freebsd-pf@FreeBSD.org Subject: Re: performance issue within VNET jail Message-ID: <AD46E22E-8230-47FD-A14D-FDA9E0753746@lists.zabbadoz.net> In-Reply-To: <53687746-C487-4712-AA52-DE86CE70FDEF@ellael.org> References: <4F5EE3F6-0163-4435-8726-56B0D4AE9FAF@ellael.org> <B6446660-9FD2-4C28-A3A2-8AC99624C7FF@sigsegv.be> <8102F5FD-DCFC-4EF8-A443-9E6C9EB1F467@ellael.org> <DB5DE737-7171-4953-AF98-45F1BE7AF09E@sigsegv.be> <8C8A172B-4D4F-4066-8B94-EF5F59E2D345@ellael.org> <5A3D67EC.6010907@grosbein.net> <53687746-C487-4712-AA52-DE86CE70FDEF@ellael.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22 Dec 2017, at 20:30, Michael Grimm wrote: > Hi — > > [ I am including freebsd-pf@FreeBSD.org now and removing > freebsd-jail@FreeBSD.org ] > [ Thread starts at > https://lists.freebsd.org/pipermail/freebsd-net/2017-December/049470.html > ] >>> >>> (#) there is a *dramatic* performance loss (TCP) when: >>> >>> (-) fetching files from outside through PF/extIF via bridge to jail … >>> >>> Thanks for your suggestions so far, but I am lost here. Any ideas? >> >> It seems to me some kind of bug in the PF. >> I personally never tried it, I use ipfw and it works just fine. > > Before testing IPFW (which I have never used before) I'd like to ask > the experts in freebsd-pf@FreeBSD.org about possible tests/tweaks > regarding PF. OK, too complicated setups; I am not getting it fully. Can you please just describe the one case that doesn’t work well in all detail and ignore all the others for a moment? (a) what’s the external host interface? (b) pf runs on the base system? (c) you are bridging into a VNET-jail? How exactly? Are you bridging to epairs? (d) where exactly are you NATing? (e) why are you bridging and NATing? That makes little sense to me. Couldn’t you NAT and forward or just bridge? (f) what’s inside the VNET jail? Another pf or anything? (g) out of curiosity, does dmesg on the base system indicate anything? To understand your performance problem better: (1) you are doing a fetch of a rather large file to test from within the VNET jail? Or what are you fetching? Are you using fetch? (2) if you fetch from within the same VNET jail does that perform? (3) if you fetch something to the VNET jail from the base system just going through your internal setup but not leaving the machine, does that still perform? (4) if you fetch something to the VNET jail from the same LAN (if possible to test) does that perform? (5) if you fetch something to the VNET jail from a close by location does that make a difference to something on the other side of the planet? /bz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AD46E22E-8230-47FD-A14D-FDA9E0753746>