Date: Wed, 18 Mar 2020 17:25:25 +0300 From: Lev Serebryakov <lev@FreeBSD.org> To: Kristof Provost <kp@FreeBSD.org>, Neel Chauhan <neel@neelc.org> Cc: freebsd-net@freebsd.org Subject: Re: IPFW In-Kernel NAT vs PF NAT Performance Message-ID: <cb87cc92-59ff-119e-be43-41d51b94f7e9@FreeBSD.org> In-Reply-To: <F154BCBA-4079-48CA-ACE9-F01FBCBD53D0@FreeBSD.org> References: <fc638872b9bdf14c13e2d6c13e698d1e@neelc.org> <F154BCBA-4079-48CA-ACE9-F01FBCBD53D0@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Yc5aUcvycYav8R41du61NdBPnoNoh6wES Content-Type: multipart/mixed; boundary="3MOFVab7iNuahX5g7fu9YLLar4FXGkxqa" --3MOFVab7iNuahX5g7fu9YLLar4FXGkxqa Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 18.03.2020 9:17, Kristof Provost wrote: >> Which firewall gives better performance, IPFW's In-Kernel NAT or PF NA= T? I am dealing with 1000s of concurrent connections but browsing-level-b= andwidth at once with Tor. >> > I=E2=80=99d expect both ipfw and pf to happily saturate gigabit links w= ith NAT, even on quite modest hardware. > Are you sure the NAT code is the bottleneck? ipfw nat is very slow, really. There are many reasons, and one of them (easy fixable, but you need patch sources and rebuild kernel/module) is that `libalias` uses only 4096 buckets in state hashtable by default. So it could saturate 1GBps link if you have 10 TCP connections, but it could not saturate 100Mbit if your have, say, 100K UDP streams. I don't know about pf nat. --=20 // Lev Serebryakov --3MOFVab7iNuahX5g7fu9YLLar4FXGkxqa-- --Yc5aUcvycYav8R41du61NdBPnoNoh6wES Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE+W0coLX0MYtnSzMK6rA8WL/cR48FAl5yL1xfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEY5 NkQxQ0EwQjVGNDMxOEI2NzRCMzMwQUVBQjAzQzU4QkZEQzQ3OEYACgkQ6rA8WL/c R4/VEQ/+JxL7hDg68yqRxHzowCkKM9kv4GP0r2JASfMxtjba/Nl6I/lHt7Qsj4wA uodSSEiqWlN9cxSHwZK4IPac7bmow0VaDLmAfTZfpg7CIGFlqZM0QwNHHEW01z4T gpe7riFhkkPrDNeYwsFvC9WQq22AXZS1nX92BWNhfWsIENC8X4nMi5cRGdZxWDxo ogSYKhsHXkBUPRMqk2phSpzVB1XDht5mwtlZYq1Oq5+c9JCjRtpg/1EnqgMAQARr H3L4p8hCRLBrbcYUMEdf+ijyGPaXQ1Z8386ski30g+N2R1VgFFevVoz33JO8H9FB jg74MkGumOtb1LzHtWSNBUlcXbsZk9v9hNrHV1w3myFDIY6WxOX/jLHLt+/QO2KL ss2vLLwTvzlT8z1hkqH554f5a+DXoaFLXFEKHgYxdHNDQD3T+IoTjEdCU+GNlrpu DyYfUYxwQP7qXlyBEp3cjcCIY6a1OJNrLrxj3DY1h9Zba9CxpcjnzLW15O/+zLjH s2Q2+jokDa6JXsF/G8hXvQTZ+5dCEKZJkRXhk3SZi7f0xp3BOlVokjn6a1hIa9kU izgDrjb1Tzw+qmDAvBdIANTXuzoGpDoRMTVWpIM1SxWXc5STuaTnmH5L1eRUgrJq aB9LiCoKL2AnItH4vhkfwo0n84iWRPgLx/QlrE/mMw39kGZwSLU= =VVoY -----END PGP SIGNATURE----- --Yc5aUcvycYav8R41du61NdBPnoNoh6wES--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb87cc92-59ff-119e-be43-41d51b94f7e9>