From owner-freebsd-net@FreeBSD.ORG Tue Nov 29 06:25:40 2011 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 804331065673 for ; Tue, 29 Nov 2011 06:25:40 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id C86278FC08 for ; Tue, 29 Nov 2011 06:25:39 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id pAT5x2NB045351; Tue, 29 Nov 2011 16:59:03 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 29 Nov 2011 16:59:02 +1100 (EST) From: Ian Smith To: Eugene Grosbein In-Reply-To: <20111128172204.GA28718@rdtc.ru> Message-ID: <20111129153427.K94374@sola.nimnet.asn.au> References: <201111272043.pARKh9rZ047643@narawntapu.narawntapu> <20111128052758.GA23803@rdtc.ru> <4ED3C114.3070200@aldan.algebra.com> <20111128172204.GA28718@rdtc.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: "Mikhail T." , net@freebsd.org Subject: Re: natd slow, eats up an entire CPU... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 06:25:40 -0000 On Tue, 29 Nov 2011 00:22:04 +0700, Eugene Grosbein wrote: > Cc: eivind@dimaga.com, cm@linktel.net, archie@whistle.com, > brian@awfulhak.org, suutari@iki.fi, net@freebsd.org, > Eugene Grosbein I've trimmed ccs except net@, feel free to re-add if desired. > On Mon, Nov 28, 2011 at 12:12:52PM -0500, Mikhail T. wrote: > > > >Do not use natd, use ipfw nat instead - it uses the same libalias > > >but completely in kernel and avoids gigantic natd overhead. > > I guess, I'll have to research this new method... But I don't recall this > > being a problem with FreeBSD-7.x -- are there some known regressions in > > natd from 8.x? I'm not sure, I recall seeing another problem apparently similar not long ago (100% on one CPU for natd) but can't find it now, and am not sure it turned out to be a natd problem or a config issue. Anyway, if you update to ipfw nat and the issue goes away, you'd know soon enough. > I do not know since there is no reason in using natd with 8.2-STABLE > where it supports nearly all natd's features including multiple > NAT instances and shared translation tables. Yes. There are still a couple of issues regarding rc.firewall 'simple' and the /etc/rc.d scripts to do with natd vs ipfw nat, especially where both are enabled, that I offered patches for in these: http://lists.freebsd.org/pipermail/freebsd-ipfw/2011-January/004500.html http://lists.freebsd.org/pipermail/freebsd-ipfw/2011-January/004509.html but due to health, relocation and slackness issues, never followed up in the correct manner re PRs. I see there've been no subsequent changes to these scripts on cvsweb, so you (Mikhail) could apply these for your basis of the rc.firewall 'simple' ruleset, but it's likely enough to be sure to remove natd_enable from rc.conf when adding firewall_nat_enable, and using the ipfw nat syntax for open and client as an example. If you find the ipfw nat section of ipfw(8) a little sparse, you can still use natd(8) as a reference, modulo the slight changes in terms. cheers, Ian