Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 21 Oct 2006 04:58:08 -0500
From:      "Matthew D. Fuller" <fullermd@over-yonder.net>
To:        Brett Glass <brett@lariat.net>
Cc:        piso@freebsd.org, net@freebsd.org
Subject:   Re: Avoiding natd overhead
Message-ID:  <20061021095808.GH75501@over-yonder.net>
In-Reply-To: <200610210648.AAA01737@lariat.net>
References:  <200610210648.AAA01737@lariat.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Oct 21, 2006 at 12:47:54AM -0600 I heard the voice of
Brett Glass, and lo! it spake thus:
>
> How can I replace just the functionality of natd without moving to
> an entirely new firewall? Can I still select which packets are
> routed to the NAT engine, and when this occurs during the processing
> of the packet?

Paolo Pisati's 2005 SoC work on integrating libalias into ipfw might
fit here.  It should move the NAT'ing into the kernel and save all the
context switches and copies, and (what has me more interested) make it
much easier to change port forwarding and other rules.  The worst
thing about natd for me isn't performance, it's that I have to blow
away all the state to change anything.

I think some of the support has been brought in, at least to -CURRENT,
but I'm not sure, and I'm pretty sure it isn't in RELENG_6 or earlier.
Paolo?


-- 
Matthew Fuller     (MF4839)   |  fullermd@over-yonder.net
Systems/Network Administrator |  http://www.over-yonder.net/~fullermd/
           On the Internet, nobody can hear you scream.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061021095808.GH75501>