From owner-freebsd-net@FreeBSD.ORG Sat Oct 21 21:54:23 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3846516A47B; Sat, 21 Oct 2006 21:54:23 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3154F43D8B; Sat, 21 Oct 2006 21:54:22 +0000 (GMT) (envelope-from brett@lariat.net) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id PAA11668; Sat, 21 Oct 2006 15:54:12 -0600 (MDT) Message-Id: <200610212154.PAA11668@lariat.net> X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sat, 21 Oct 2006 15:54:06 -0600 To: "Matthew D. Fuller" From: Brett Glass In-Reply-To: <20061021095808.GH75501@over-yonder.net> References: <200610210648.AAA01737@lariat.net> <20061021095808.GH75501@over-yonder.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-avg-checked=avg-ok-516E617 Cc: piso@freebsd.org, net@freebsd.org Subject: Re: Avoiding natd overhead X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2006 21:54:23 -0000 At 03:58 AM 10/21/2006, Matthew D. Fuller wrote: >Paolo Pisati's 2005 SoC work on integrating libalias into ipfw might >fit here. It should move the NAT'ing into the kernel and save all the >context switches and copies, and (what has me more interested) make it >much easier to change port forwarding and other rules. That would be excellent. NAT really belongs in the kernel, with a userland control and monitoring utility similar to the ones that manage kernel PPP in many UNIX-like OSes. >The worst >thing about natd for me isn't performance, it's that I have to blow >away all the state to change anything. Agreed. Also, more than once I've locked myself out of a machine when trying to restart NAT with a different configuration; it would be nice to be able to change just the parameters I needed to change. I'd love to be able to look at the translations that are generated on the fly in the same way that one can look at other dynamic rules. This is especially true for some of the more arcane forms of NAT (e.g. PPTP passthrough, in which PPTP session numbers are mapped to avoid collisions) which can be hard to debug when something goes worng. --Brett