From owner-freebsd-net@freebsd.org Thu Mar 19 11:20:08 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DF04D25C3F8 for ; Thu, 19 Mar 2020 11:20:08 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48jkw83Rwhz4JKV; Thu, 19 Mar 2020 11:20:07 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.not-for.work (onlyone.not-for.work [148.251.9.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: lev/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 3CE5B14FFD; Thu, 19 Mar 2020 11:20:07 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from [192.168.23.230] (unknown [89.113.128.32]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.not-for.work (Postfix) with ESMTPSA id 3B1F14616; Thu, 19 Mar 2020 14:20:05 +0300 (MSK) Reply-To: lev@FreeBSD.org Subject: Re: IPFW In-Kernel NAT vs PF NAT Performance To: Eugene Grosbein , Kristof Provost , Neel Chauhan Cc: freebsd-net@freebsd.org References: From: Lev Serebryakov Autocrypt: addr=lev@FreeBSD.org; prefer-encrypt=mutual; keydata= xsFNBFKbGksBEADeguVs+XyJc3mL3iiOBqDd16wSk97YTJYOi4VsHsINzJr09oFvNDiaDBIi fLn2p8XcJvehcsF2GSgrfXfw+uK4O1jyNIKJmiYA0EtE+ZbRtvDrrE0w6Q8+SDeKA21SWh3Y vSQ0DJUontbgW55ER2CbEiIUTIn34uQ0kmESAaw/v5p/9ue8yPTmURvv130FqPFz8VPzltqL NxyGt54TxPfKAzAHEIwxlEZ63JOwzloKh1UDBExcsf9nJO08/TAVgR5UZ5njFBPzaaquhRoP qPJLEQQDqxPIlvMNtHKf7iIebE4BHeqgCdJA0BoiR6gpa0wlsZtdrTPK3n4wYSphLvGbhfOZ YW/hbcu7HYS/FImkVxB3iY17kcC1UTnx4ZaYeASPBGOOPbXky1lLfmDGWIFT//70yx+G17qD OZzF1SvJJhGvh6ilFYaWMX7T+nIp6Mcafc4D7AakXM+XdubNXOMlCJhzPcZ0skgAEnYV587w V7em5fDVwQccwvtfezzqKeJAU5TGiywBHSR5Svzk2FwRNf6M//hWkpq0SRR63iOhkHGOAEBi 69GfEIwH2/w24rLxP0E+Hqq8n+EWNkPatw1Mhcl5PKkdvGCjJUaGNMkpBffjyYo254JXRscR eEnwdIkJt4ErDvjb2/UrOFq31wWMOiLzJeVchAgvTHBMRfP9aQARAQABzShMZXYgU2VyZWJy eWFrb3YgPGxldkBzZXJlYnJ5YWtvdi5zcGIucnU+wsGwBBMBCABDAhsDBwsJCAcDAgEGFQgC CQoLBBYCAwECHgECF4ACGQEWIQT5bRygtfQxi2dLMwrqsDxYv9xHjwUCW/03kQUJDwW3xgAh CRDqsDxYv9xHjxYhBPltHKC19DGLZ0szCuqwPFi/3EePHxkP+wWNrAyks2fQctY/Gl7TMh+Y Q9uX0hAuZ2Vvi0LswBl/R85SsS7IvI9b3ogOWA8CAlHAxkvgH6sWrwRTNcCPS1MzulYxS914 0CSkdwwbv1JyDOOWYU6s8PfT9+BZr+9eNXStmEdEL5XcA1k2YncQtlR3m+oLkqlAOtteZWti pitMIX9BGYIVKyl0t0RnIx+m/QPVGU9gu02j0I3NSRnKQPyFxZqYK0nPBu+FKaEhIAqdKPOv GL4/ijansdiWO3mXy18G0Mkr8yYRSidpGgXGY6lmGzQ3R6ZS30bLI8DkskOOvfErwhZv5dH5 w4+JH5sQ7bIL5HEXs//ZU9UzMdQwcURMjcFfKGyfL0hSLRqzP8m7SL1k9ZL161OQ6C5zVO/M bSCmeeLkbfOj1NW1ZIv6UjVVWE/LS4+gqg/04C+Y24vj+7vMpBVEevdwmIEdmVciFudklcnN omuocb29GKbquRZRDGiE+mhqkwmp5e59AnePp3+AvkewSCsXlR1sfjEP/Tn5OsYerJ7eAAOj DjxO374TAqJG5ftW4BA/nVmx9FGKV1/A9Yc1UuH6LdQfLf7pmTck1Cxg4kdH+3qKGD63sAR0 Wh27XDjnBKXJUN7J+nctWMZJMvw4OhTXdTyVhWt6USKEzw8M5plY4sFqxBEAe8igQXlq1Xjd ISV7wYhT4l3FzsFNBFKbGksBEAC0a9wfjo2P3JyT7Lc+QlbFVshGbSbazb4ma7QYG5IZZD5v fLBFkePoG6cnrn3WCXp4A43hszAynCwe4eXyAkv4+gPF3ZSeNE5Wz3zYG+jh2nm2iGCkyaVy kfbA+2chor2DKH5tHpuNMBlF+wSJHZKJmlo/sFIktAnV1NBVg4/cL+9/hIpvl82cl3hYCD7/ e7/qRE+w38CpAAzn65FvbODn7xlY3fsJt+cHPBJ4EBM9KnTwcce+F+72RQMZQEl7vIAwSRmL dgZHN0MFC533l62SVoKjT0eaOOIBrvesmojhWjfwugibXr+WRF/tGcW77Bxwe2eQLbEVESqW eMORxRxocx7Q7aACoHmf4G4U1Vzx7zUEfNfHjfjZeQVfAURf/MoUelZSW/BmMIfKCg3lRlWA t+Pq2h2UADPVqAZze45beE/c8z8LZsOZiGoRhYL8NSg6+ziLTdmYLWdtFGAuZhqOtNp5h6tG j21OksBotcaIa5YjbCmmnImIjGlSBkUKvIhq/RXth5b2gNwaQdu+Yv4AlZVHRsuVywL/skDF L5+We11bDK6MQ5PzvmntRJcgbyoisn1hiV04OV1LpJJMkJn1j8VlBqDQNT/z+BjB0ru/0anv +5uLj7v0ck06rEo4yiXT/ZAcBM76j7V7FaGbkoba6bUUCQ2H5YYBOKpikjCnpwARAQABwsGT BBgBCAAmAhsMFiEE+W0coLX0MYtnSzMK6rA8WL/cR48FAlv9N7IFCQ8Ft+cAIQkQ6rA8WL/c R48WIQT5bRygtfQxi2dLMwrqsDxYv9xHj3CnD/9btCtkcphRYRUe08tUyVwzV/syDCdiUhF7 8jqDKTC+3zuyrFJi7t4fF9follHYz1Ri5RixxJHnuDFcq7ZTOprPYqO8QhckLAJOy5dmORDX 2guEA+y5zDYBwwjpio9dtnuE7QyHyMx4nMPq8O/HfO+6dDEZChkrGvcG9FTI7s0JhsDs3xxw jcROZ2OP0lNu2571ZpR4YuzMUOIhOaQBIF2wrTvLjKUsAnNQYK9gsFTeDHRsE4HZLxJvEdiZ CWN7COi9un4xtP4Khc3Fmn6ANEyh0bIgx1Eii2RGINuA2XRVYhPRJLUZRSVQcrND9k9S+m+T oaqz9JgFLusFA1KhdeYnE1bojpq1U1bsmEicLW2QfEGVumKTgUrTsno0cVPH73KDILFvHA0D 8t4UaQveRTRUVdHZ02IBVt655Q8Xq1TkHJ7l+2Ckso5IBujWD74QpSRzzffn/ihhEExwYSTj FSs0C/OgU+EDZbcq2SWu4n1OGsW337/80HnJKVWBPAZYy4EmiyQSY05MG/fj9RA9Qi4TjFLD LrIf6dFAmiiIwWjlAKiyyUk+XDJXrc1L2VhcHqfdBY4I/qwV1YAI1QI4W/i6TstB1j0GwKa3 ZORwu4eahL5+9R6xBedhXZpCL0dyKuI8iPaC8npaOCJoL8+l4+KXR/PKt8b8kzIcvSpyCZii PQ== Organization: FreeBSD Message-ID: Date: Thu, 19 Mar 2020 14:19:55 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="8z5bs69UCsV8muV4i3FtMd5xlK67ZrRIi" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2020 11:20:09 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --8z5bs69UCsV8muV4i3FtMd5xlK67ZrRIi Content-Type: multipart/mixed; boundary="OQFcyCRqscLGE3Eoo6jEabHsJUNeEIDxa" --OQFcyCRqscLGE3Eoo6jEabHsJUNeEIDxa Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 19.03.2020 9:42, Eugene Grosbein wrote: >>> I=E2=80=99d expect both ipfw and pf to happily saturate gigabit links= with NAT, even on quite modest hardware. >>> Are you sure the NAT code is the bottleneck? >> ipfw nat is very slow, really. There are many reasons, and one of the= m >> (easy fixable, but you need patch sources and rebuild kernel/module) i= s >> that `libalias` uses only 4096 buckets in state hashtable by default. = So >> it could saturate 1GBps link if you have 10 TCP connections, but it >> could not saturate 100Mbit if your have, say, 100K UDP streams. >=20 > It's really 4001 that is (and sould be) prime number. Oh, yes, I've forgot this detail. > Don't you think that now as ipfw nat builds libalias in kernel context,= > it could scale with maxusers (sys/systm.h) ? >=20 > Something like (4001 + (maxusers-32)*8) so it grows with amount of phys= ical memory > and is kept small for low-memory systems. IMHO, "maxusers" us useless now. It must be sysctl, as size of dynamic state table of IPFW itself. I have low-memory system where WHOLE memory is dedicated to firewall/nat, for example. I need really huge tables (131101) to make it work "bad" and not "terrible". --=20 // Lev Serebryakov --OQFcyCRqscLGE3Eoo6jEabHsJUNeEIDxa-- --8z5bs69UCsV8muV4i3FtMd5xlK67ZrRIi Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE+W0coLX0MYtnSzMK6rA8WL/cR48FAl5zVVtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEY5 NkQxQ0EwQjVGNDMxOEI2NzRCMzMwQUVBQjAzQzU4QkZEQzQ3OEYACgkQ6rA8WL/c R4++pRAAqMir1CampcJk5VTS4qV3FtSuhv9l1zAIVXLnoMY09AHb+0+kK8wShfZt eq+M53G1+JsD9YY9OKzpR71Hbsh+H032HdZH8cn+Os6i2u9gDRLkQFZTMc/VhKer dOhNDsAo4lml7xCB0s2pQcwWFXctcifzhYto/G9yZ2qCcbuLt7a/v/Mlktiv2rF0 xPl54QiGql21mIRs8FiWPnPVwYfdhu4prtG8JjdZzKT2RnHvk6+6109LIzlU3P6j rn/KQfrCjybYh0Vm4WzcMTMTSX27G9BRlTxdD01gsUP0YdcSFPJ0tGAxxDmtgzeh +LGw8Nm/gVDvQ5WtmWu7Er+0/qJSnofQyI7TLl9af20hyK8bcgwTX3ldnBipMgua tkKTCK/TjxjRY3kU6A7On1tVhQefCUZurlll5sMdcItS7dBioGdbdMUOgeKlK8mh 4XTHgVcC1pD2FBn//dr5iqBUA6MqoCZl0Inw+X9q9iVJSUKBZazsWqBz3EVaLOvH b3LcAc1FvtqCiSSuRocV5Dh4EigXChCs0/oU545DjebK2HPH4t7dnyOAKra6WE01 mfHpdozI5CvP4u6RTMiHQHrOfEvknQGzG9FUxDxUqS47RObLffVMXaoWsVV+hxBJ NY3/RVRzRrsTUQXNlKpLNTqTGCQ264L52bAAFl48FCWFuI2EIhE= =aDd3 -----END PGP SIGNATURE----- --8z5bs69UCsV8muV4i3FtMd5xlK67ZrRIi--