Date: Sat, 21 Oct 2006 16:08:14 -0600 From: Brett Glass <brett@lariat.net> To: vova@fbsd.ru Cc: net@freebsd.org Subject: Re: Avoiding natd overhead Message-ID: <200610212208.QAA11801@lariat.net> In-Reply-To: <1161424493.1489.10.camel@localhost> References: <200610210648.AAA01737@lariat.net> <1161424493.1489.10.camel@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:54 AM 10/21/2006, Vladimir Grebenschikov wrote: > 1. use PF for nat - it does aliasing in kernel space True, but it doesn't let me translate the packets and then continue processing within the firewall -- which is necessary if you want to catch unregistered destination addresses BEFORE translation and then unregistered source addresses AFTER translation. > 2. use in-kernel libalias implementation > (I guess man-page for ng_nat(4) will help) Same problem. I don't know how I could send packets through a Netgraph node in the middle of processing by IPFW and then bring them back at the next rule. I suppose that one solution might be, for lack of a better term, a "kernel divert socket," which would pass packets through a kernel module rather than a user process. (This could actually be used to speed up many things for which the current "userland" divert sockets are now used.) It would then be possible to make a "nat.ko" module, and either provide a utility to control it or roll that functionality into ipfw(8). --Brett
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610212208.QAA11801>