From owner-freebsd-net@FreeBSD.ORG Wed Jul 2 11:44:18 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62B7C37B401 for ; Wed, 2 Jul 2003 11:44:18 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id C1A1E43FE0 for ; Wed, 2 Jul 2003 11:44:17 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 21431 invoked from network); 2 Jul 2003 18:44:16 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 2 Jul 2003 18:44:16 -0000 Message-ID: <3F0327FE.3030609@tenebras.com> Date: Wed, 02 Jul 2003 11:44:14 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Barney Wolff References: <3F0316DE.3040301@tenebras.com> <20030702183838.GB4179@pit.databus.com> In-Reply-To: <20030702183838.GB4179@pit.databus.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: Performance improvement for NAT in IPFIREWALL X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jul 2003 18:44:18 -0000 Barney Wolff wrote: > NAT is not a security feature, Many would disagree with that assertion. > and should be used only where it is > actually necessary to translate addresses, and as far towards the edge > as possible. This is typically where firewalls are found. > If you believe you need to NAT at even 1Gb, I'd look > very hard at the requirements. Sadly, requirements are often exogenous. > The performance hit on crossing the kernel-userspace boundary for natd > is inherent, apart from any code optimization that might be possible. Right, it's the copying of data that creates the ultimate barrier. Ruslan has suggested an analogue to divert that uses ng_ksocket. That might be promising. > But moving NAT into the kernel has great impact on kernel memory usage, > which needs much more care than in user space. NATs can be DoS'd, > and running out of kernel memory can be fatal. Stateful packet filters can be DoS'd.