From owner-freebsd-net@FreeBSD.ORG  Sat Oct 21 09:54:58 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 60E4416A403
	for <net@freebsd.org>; Sat, 21 Oct 2006 09:54:58 +0000 (UTC)
	(envelope-from vova@sw.ru)
Received: from vbook.fbsd.ru (swsoft-mipt-nat.sw.ru [195.214.233.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E681B43D6A
	for <net@freebsd.org>; Sat, 21 Oct 2006 09:54:57 +0000 (GMT)
	(envelope-from vova@sw.ru)
Received: from vova by vbook.fbsd.ru with local (Exim 4.63 (FreeBSD))
	(envelope-from <vova@sw.ru>)
	id 1GbDZ8-0000fy-Cd; Sat, 21 Oct 2006 13:54:54 +0400
From: Vladimir Grebenschikov <vova@fbsd.ru>
To: Brett Glass <brett@lariat.net>
In-Reply-To: <200610210648.AAA01737@lariat.net>
References: <200610210648.AAA01737@lariat.net>
Content-Type: text/plain; charset=KOI8-R
Content-Transfer-Encoding: quoted-printable
Organization: SWsoft
Date: Sat, 21 Oct 2006 13:54:53 +0400
Message-Id: <1161424493.1489.10.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.8.1.1 FreeBSD GNOME Team Port 
Sender: Vladimir Grebenschikov <vova@swsoft.com>
Cc: net@freebsd.org
Subject: Re: Avoiding natd overhead
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: vova@fbsd.ru
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Oct 2006 09:54:58 -0000

=F7 =D3=C2, 21/10/2006 =D7 00:47 -0600, Brett Glass =D0=C9=DB=C5=D4:
> I'm working with a FreeBSD-based router that's using IPFW for=20
> policy routing, traffic shaping, and transparent proxying and natd=20
> for network address translation. IPFW does these things pretty well=20
> (in fact, I don't know if another firewall, like pf, could even do=20
> some of these things I'm doing with IPFW), but natd is by far the=20
> most CPU-intensive process on the system and is causing it to=20
> crumple like a wet towel under heavy loads. How can I replace just=20
> the functionality of natd without moving to an entirely new=20
> firewall? Can I still select which packets are routed to the NAT=20
> engine, and when this occurs during the processing of the packet?

Problem is in location of natd functionality.
So, every packet which goes through nat should jump from kernel to
user-space and back. It is really takes a lot of resources.

Solutions:
 1. use PF for nat - it does aliasing in kernel space
 2. use in-kernel libalias implementation=20
    (I guess man-page for ng_nat(4) will help)


> --Brett Glass
>=20
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
--=20
Vladimir B. Grebenschikov
vova@fbsd.ru