From owner-freebsd-net@FreeBSD.ORG Sat Oct 21 09:58:11 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83BC716A403; Sat, 21 Oct 2006 09:58:11 +0000 (UTC) (envelope-from fullermd@over-yonder.net) Received: from optimus.centralmiss.com (ns.centralmiss.com [206.156.254.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3D9143D70; Sat, 21 Oct 2006 09:58:10 +0000 (GMT) (envelope-from fullermd@over-yonder.net) Received: from draco.over-yonder.net (adsl-072-148-013-213.sip.jan.bellsouth.net [72.148.13.213]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by optimus.centralmiss.com (Postfix) with ESMTP id 6A8792842F; Sat, 21 Oct 2006 04:58:09 -0500 (CDT) Received: by draco.over-yonder.net (Postfix, from userid 100) id D865661C52; Sat, 21 Oct 2006 04:58:08 -0500 (CDT) Date: Sat, 21 Oct 2006 04:58:08 -0500 From: "Matthew D. Fuller" To: Brett Glass Message-ID: <20061021095808.GH75501@over-yonder.net> References: <200610210648.AAA01737@lariat.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200610210648.AAA01737@lariat.net> X-Editor: vi X-OS: FreeBSD User-Agent: Mutt/1.5.11-fullermd.3 Cc: piso@freebsd.org, net@freebsd.org Subject: Re: Avoiding natd overhead X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2006 09:58:11 -0000 On Sat, Oct 21, 2006 at 12:47:54AM -0600 I heard the voice of Brett Glass, and lo! it spake thus: > > How can I replace just the functionality of natd without moving to > an entirely new firewall? Can I still select which packets are > routed to the NAT engine, and when this occurs during the processing > of the packet? Paolo Pisati's 2005 SoC work on integrating libalias into ipfw might fit here. It should move the NAT'ing into the kernel and save all the context switches and copies, and (what has me more interested) make it much easier to change port forwarding and other rules. The worst thing about natd for me isn't performance, it's that I have to blow away all the state to change anything. I think some of the support has been brought in, at least to -CURRENT, but I'm not sure, and I'm pretty sure it isn't in RELENG_6 or earlier. Paolo? -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ On the Internet, nobody can hear you scream.