From owner-freebsd-net@FreeBSD.ORG Sun Oct 22 14:09:31 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F13B016A412 for ; Sun, 22 Oct 2006 14:09:31 +0000 (UTC) (envelope-from flag@newluxor.wired.org) Received: from mail.oltrelinux.com (krisma.oltrelinux.com [194.242.226.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FFC243D49 for ; Sun, 22 Oct 2006 14:09:30 +0000 (GMT) (envelope-from flag@newluxor.wired.org) Received: from newluxor.wired.org (ip-64-88.sn2.eutelia.it [83.211.64.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.oltrelinux.com (Postfix) with ESMTP id 3D41F11AE43; Sun, 22 Oct 2006 16:09:28 +0200 (CEST) Received: (from flag@localhost) by newluxor.wired.org (8.13.8/8.13.8/Submit) id k9ME9Eu6064581; Sun, 22 Oct 2006 16:09:14 +0200 (CEST) (envelope-from flag) Date: Sun, 22 Oct 2006 16:09:08 +0200 From: Paolo Pisati To: "Matthew D. Fuller" Message-ID: <20061022140908.GA1275@tin.it> References: <200610210648.AAA01737@lariat.net> <20061021095808.GH75501@over-yonder.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20061021095808.GH75501@over-yonder.net> User-Agent: Mutt/1.4.2.2i X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at krisma.oltrelinux.com Cc: net@freebsd.org Subject: Re: Avoiding natd overhead X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Oct 2006 14:09:32 -0000 On Sat, Oct 21, 2006 at 04:58:08AM -0500, Matthew D. Fuller wrote: > On Sat, Oct 21, 2006 at 12:47:54AM -0600 I heard the voice of > Brett Glass, and lo! it spake thus: > > > > How can I replace just the functionality of natd without moving to > > an entirely new firewall? Can I still select which packets are > > routed to the NAT engine, and when this occurs during the processing > > of the packet? > > Paolo Pisati's 2005 SoC work on integrating libalias into ipfw might > fit here. It should move the NAT'ing into the kernel and save all the > context switches and copies, and (what has me more interested) make it > much easier to change port forwarding and other rules. The worst > thing about natd for me isn't performance, it's that I have to blow > away all the state to change anything. > > I think some of the support has been brought in, at least to -CURRENT, > but I'm not sure, and I'm pretty sure it isn't in RELENG_6 or earlier. > Paolo? i've imported in CURRENT the libalias side of work (mainly modules), while for the ipfw part (nat&c), there are two things still to talk about: 1) locking of libalias: put an embedded lock into libalias and grab it into the different LibAlias* functions? or leave it outside the library? 2) libalias+nat in kernel: Glebius suggested to make the nat part truly independent through ipfw_nat.ko. libalias+ipfw nat add 80kb to the entire kernel. bye -- Paolo Piso's first law: nothing works as expected!