From owner-freebsd-net@FreeBSD.ORG Sat Oct 21 06:48:23 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95C6A16A412 for ; Sat, 21 Oct 2006 06:48:23 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF23443D46 for ; Sat, 21 Oct 2006 06:48:22 +0000 (GMT) (envelope-from brett@lariat.net) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id AAA01737 for ; Sat, 21 Oct 2006 00:48:15 -0600 (MDT) Message-Id: <200610210648.AAA01737@lariat.net> X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sat, 21 Oct 2006 00:47:54 -0600 To: net@freebsd.org From: Brett Glass Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed; x-avg-checked=avg-ok-516E617 Cc: Subject: Avoiding natd overhead X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2006 06:48:23 -0000 I'm working with a FreeBSD-based router that's using IPFW for policy routing, traffic shaping, and transparent proxying and natd for network address translation. IPFW does these things pretty well (in fact, I don't know if another firewall, like pf, could even do some of these things I'm doing with IPFW), but natd is by far the most CPU-intensive process on the system and is causing it to crumple like a wet towel under heavy loads. How can I replace just the functionality of natd without moving to an entirely new firewall? Can I still select which packets are routed to the NAT engine, and when this occurs during the processing of the packet? --Brett Glass