Date: Mon, 17 Mar 2008 14:11:13 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW with user-ppp's NAT Message-ID: <Pine.BSF.3.96.1080317134948.11162A-100000@gaia.nimnet.asn.au> In-Reply-To: <20080316195620.D24E4106569A@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 16 Mar 2008 18:20:12 +0100 (CET) Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl> wrote: > >> > >> what's wrong in userland natd? > > > > Performance. With userland natd, every packet that passes through natd > > must pass from kernel to userland (causing one context switch) and back > > again (causing another context switch). This will be slower and use more > > CPU than doing it all inside the kernel, without any context switches. > > true, anyway for my two 2Mbps symmetric connection (all for nat), and > three 4/0.5Mbit connections (part for nat, mostly for squid) all natd > processes takes at most 3 percent of single core (core2duo). Sure. And with my little 512/128k ADSL link, soon 1500/256, I doubt you could even measure the difference. I haven't seen any comparative data on high-performance boxes but as Erik points out, it may be significant. Just to make it clear, my point was that one reason for deprecating ipfw is out the door, and that its development is ongoing. I see rc.firewall has had a recent facelift too, including a stateful 'workstation' type. (Sorry that our ancient mail setup blocked your mail; hopefully fixed.) cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1080317134948.11162A-100000>