From owner-freebsd-net@FreeBSD.ORG  Sun Oct 22 04:21:20 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 368B216A492
	for <net@freebsd.org>; Sun, 22 Oct 2006 04:21:17 +0000 (UTC)
	(envelope-from prvs=julian=44322f810@elischer.org)
Received: from a50.ironport.com (a50.ironport.com [63.251.108.112])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 035DE43D45
	for <net@freebsd.org>; Sun, 22 Oct 2006 04:21:16 +0000 (GMT)
	(envelope-from prvs=julian=44322f810@elischer.org)
Received: from unknown (HELO [192.168.2.5]) ([10.251.60.42])
	by a50.ironport.com with ESMTP; 21 Oct 2006 21:21:16 -0700
Message-ID: <453AF1BB.7070507@elischer.org>
Date: Sat, 21 Oct 2006 21:21:15 -0700
From: Julian Elischer <julian@elischer.org>
User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909)
MIME-Version: 1.0
To: Brett Glass <brett@lariat.net>
References: <200610210648.AAA01737@lariat.net> <453AEA86.4070103@elischer.org>
	<200610220414.WAA15541@lariat.net>
In-Reply-To: <200610220414.WAA15541@lariat.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: net@freebsd.org
Subject: Re: Avoiding natd overhead
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Oct 2006 04:21:20 -0000

Brett Glass wrote:
> At 09:50 PM 10/21/2006, Julian Elischer wrote:
> 
>> one thing that you need to name sure of is that only the packets that 
>> have potential of being on interest to natd are passed to natd.
> 
> I do. In fact, this is a capability I would lose if I used ipfilters or 
> pf to do NAT, which is why I want to find a way to use a mechanism 
> that's triggered by IPFW.
> 
> You were the person who invented "divert sockets," were you not? How 
> hard would it be to create a mechanism (a sort of "kernel divert 
> socket") so that kernel modules and/or netgraph nodes could do the same 
> things which are now done by userland processes listening on divert 
> sockets? This would boost the performance of any FreeBSD machine that 
> did NAT (which many if not most do).

you can in two ways..

create a netgraph ksocket node of type divert
then attach that to a netgraph ng_nat node.

OR in 7.0 you can call netgraph directly

there is a netgraph keyword in ipfw.

> 
> --Brett Glass
>