From owner-freebsd-net@freebsd.org Wed Mar 18 14:25:36 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 86167261948 for ; Wed, 18 Mar 2020 14:25:36 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48jC4c27Ncz46vX; Wed, 18 Mar 2020 14:25:36 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.not-for.work (onlyone.not-for.work [IPv6:2a01:4f8:201:6350::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: lev/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id CBC63BBE3; Wed, 18 Mar 2020 14:25:35 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from [192.168.23.230] (unknown [89.113.128.32]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.not-for.work (Postfix) with ESMTPSA id 48DA143E6; Wed, 18 Mar 2020 17:25:33 +0300 (MSK) Reply-To: lev@FreeBSD.org Subject: Re: IPFW In-Kernel NAT vs PF NAT Performance To: Kristof Provost , Neel Chauhan Cc: freebsd-net@freebsd.org References: From: Lev Serebryakov Autocrypt: addr=lev@FreeBSD.org; prefer-encrypt=mutual; keydata= xsFNBFKbGksBEADeguVs+XyJc3mL3iiOBqDd16wSk97YTJYOi4VsHsINzJr09oFvNDiaDBIi fLn2p8XcJvehcsF2GSgrfXfw+uK4O1jyNIKJmiYA0EtE+ZbRtvDrrE0w6Q8+SDeKA21SWh3Y vSQ0DJUontbgW55ER2CbEiIUTIn34uQ0kmESAaw/v5p/9ue8yPTmURvv130FqPFz8VPzltqL NxyGt54TxPfKAzAHEIwxlEZ63JOwzloKh1UDBExcsf9nJO08/TAVgR5UZ5njFBPzaaquhRoP qPJLEQQDqxPIlvMNtHKf7iIebE4BHeqgCdJA0BoiR6gpa0wlsZtdrTPK3n4wYSphLvGbhfOZ YW/hbcu7HYS/FImkVxB3iY17kcC1UTnx4ZaYeASPBGOOPbXky1lLfmDGWIFT//70yx+G17qD OZzF1SvJJhGvh6ilFYaWMX7T+nIp6Mcafc4D7AakXM+XdubNXOMlCJhzPcZ0skgAEnYV587w V7em5fDVwQccwvtfezzqKeJAU5TGiywBHSR5Svzk2FwRNf6M//hWkpq0SRR63iOhkHGOAEBi 69GfEIwH2/w24rLxP0E+Hqq8n+EWNkPatw1Mhcl5PKkdvGCjJUaGNMkpBffjyYo254JXRscR eEnwdIkJt4ErDvjb2/UrOFq31wWMOiLzJeVchAgvTHBMRfP9aQARAQABzShMZXYgU2VyZWJy eWFrb3YgPGxldkBzZXJlYnJ5YWtvdi5zcGIucnU+wsGwBBMBCABDAhsDBwsJCAcDAgEGFQgC CQoLBBYCAwECHgECF4ACGQEWIQT5bRygtfQxi2dLMwrqsDxYv9xHjwUCW/03kQUJDwW3xgAh CRDqsDxYv9xHjxYhBPltHKC19DGLZ0szCuqwPFi/3EePHxkP+wWNrAyks2fQctY/Gl7TMh+Y Q9uX0hAuZ2Vvi0LswBl/R85SsS7IvI9b3ogOWA8CAlHAxkvgH6sWrwRTNcCPS1MzulYxS914 0CSkdwwbv1JyDOOWYU6s8PfT9+BZr+9eNXStmEdEL5XcA1k2YncQtlR3m+oLkqlAOtteZWti pitMIX9BGYIVKyl0t0RnIx+m/QPVGU9gu02j0I3NSRnKQPyFxZqYK0nPBu+FKaEhIAqdKPOv GL4/ijansdiWO3mXy18G0Mkr8yYRSidpGgXGY6lmGzQ3R6ZS30bLI8DkskOOvfErwhZv5dH5 w4+JH5sQ7bIL5HEXs//ZU9UzMdQwcURMjcFfKGyfL0hSLRqzP8m7SL1k9ZL161OQ6C5zVO/M bSCmeeLkbfOj1NW1ZIv6UjVVWE/LS4+gqg/04C+Y24vj+7vMpBVEevdwmIEdmVciFudklcnN omuocb29GKbquRZRDGiE+mhqkwmp5e59AnePp3+AvkewSCsXlR1sfjEP/Tn5OsYerJ7eAAOj DjxO374TAqJG5ftW4BA/nVmx9FGKV1/A9Yc1UuH6LdQfLf7pmTck1Cxg4kdH+3qKGD63sAR0 Wh27XDjnBKXJUN7J+nctWMZJMvw4OhTXdTyVhWt6USKEzw8M5plY4sFqxBEAe8igQXlq1Xjd ISV7wYhT4l3FzsFNBFKbGksBEAC0a9wfjo2P3JyT7Lc+QlbFVshGbSbazb4ma7QYG5IZZD5v fLBFkePoG6cnrn3WCXp4A43hszAynCwe4eXyAkv4+gPF3ZSeNE5Wz3zYG+jh2nm2iGCkyaVy kfbA+2chor2DKH5tHpuNMBlF+wSJHZKJmlo/sFIktAnV1NBVg4/cL+9/hIpvl82cl3hYCD7/ e7/qRE+w38CpAAzn65FvbODn7xlY3fsJt+cHPBJ4EBM9KnTwcce+F+72RQMZQEl7vIAwSRmL dgZHN0MFC533l62SVoKjT0eaOOIBrvesmojhWjfwugibXr+WRF/tGcW77Bxwe2eQLbEVESqW eMORxRxocx7Q7aACoHmf4G4U1Vzx7zUEfNfHjfjZeQVfAURf/MoUelZSW/BmMIfKCg3lRlWA t+Pq2h2UADPVqAZze45beE/c8z8LZsOZiGoRhYL8NSg6+ziLTdmYLWdtFGAuZhqOtNp5h6tG j21OksBotcaIa5YjbCmmnImIjGlSBkUKvIhq/RXth5b2gNwaQdu+Yv4AlZVHRsuVywL/skDF L5+We11bDK6MQ5PzvmntRJcgbyoisn1hiV04OV1LpJJMkJn1j8VlBqDQNT/z+BjB0ru/0anv +5uLj7v0ck06rEo4yiXT/ZAcBM76j7V7FaGbkoba6bUUCQ2H5YYBOKpikjCnpwARAQABwsGT BBgBCAAmAhsMFiEE+W0coLX0MYtnSzMK6rA8WL/cR48FAlv9N7IFCQ8Ft+cAIQkQ6rA8WL/c R48WIQT5bRygtfQxi2dLMwrqsDxYv9xHj3CnD/9btCtkcphRYRUe08tUyVwzV/syDCdiUhF7 8jqDKTC+3zuyrFJi7t4fF9follHYz1Ri5RixxJHnuDFcq7ZTOprPYqO8QhckLAJOy5dmORDX 2guEA+y5zDYBwwjpio9dtnuE7QyHyMx4nMPq8O/HfO+6dDEZChkrGvcG9FTI7s0JhsDs3xxw jcROZ2OP0lNu2571ZpR4YuzMUOIhOaQBIF2wrTvLjKUsAnNQYK9gsFTeDHRsE4HZLxJvEdiZ CWN7COi9un4xtP4Khc3Fmn6ANEyh0bIgx1Eii2RGINuA2XRVYhPRJLUZRSVQcrND9k9S+m+T oaqz9JgFLusFA1KhdeYnE1bojpq1U1bsmEicLW2QfEGVumKTgUrTsno0cVPH73KDILFvHA0D 8t4UaQveRTRUVdHZ02IBVt655Q8Xq1TkHJ7l+2Ckso5IBujWD74QpSRzzffn/ihhEExwYSTj FSs0C/OgU+EDZbcq2SWu4n1OGsW337/80HnJKVWBPAZYy4EmiyQSY05MG/fj9RA9Qi4TjFLD LrIf6dFAmiiIwWjlAKiyyUk+XDJXrc1L2VhcHqfdBY4I/qwV1YAI1QI4W/i6TstB1j0GwKa3 ZORwu4eahL5+9R6xBedhXZpCL0dyKuI8iPaC8npaOCJoL8+l4+KXR/PKt8b8kzIcvSpyCZii PQ== Organization: FreeBSD Message-ID: Date: Wed, 18 Mar 2020 17:25:25 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Yc5aUcvycYav8R41du61NdBPnoNoh6wES" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Mar 2020 14:25:36 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Yc5aUcvycYav8R41du61NdBPnoNoh6wES Content-Type: multipart/mixed; boundary="3MOFVab7iNuahX5g7fu9YLLar4FXGkxqa" --3MOFVab7iNuahX5g7fu9YLLar4FXGkxqa Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 18.03.2020 9:17, Kristof Provost wrote: >> Which firewall gives better performance, IPFW's In-Kernel NAT or PF NA= T? I am dealing with 1000s of concurrent connections but browsing-level-b= andwidth at once with Tor. >> > I=E2=80=99d expect both ipfw and pf to happily saturate gigabit links w= ith NAT, even on quite modest hardware. > Are you sure the NAT code is the bottleneck? ipfw nat is very slow, really. There are many reasons, and one of them (easy fixable, but you need patch sources and rebuild kernel/module) is that `libalias` uses only 4096 buckets in state hashtable by default. So it could saturate 1GBps link if you have 10 TCP connections, but it could not saturate 100Mbit if your have, say, 100K UDP streams. I don't know about pf nat. --=20 // Lev Serebryakov --3MOFVab7iNuahX5g7fu9YLLar4FXGkxqa-- --Yc5aUcvycYav8R41du61NdBPnoNoh6wES Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE+W0coLX0MYtnSzMK6rA8WL/cR48FAl5yL1xfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEY5 NkQxQ0EwQjVGNDMxOEI2NzRCMzMwQUVBQjAzQzU4QkZEQzQ3OEYACgkQ6rA8WL/c R4/VEQ/+JxL7hDg68yqRxHzowCkKM9kv4GP0r2JASfMxtjba/Nl6I/lHt7Qsj4wA uodSSEiqWlN9cxSHwZK4IPac7bmow0VaDLmAfTZfpg7CIGFlqZM0QwNHHEW01z4T gpe7riFhkkPrDNeYwsFvC9WQq22AXZS1nX92BWNhfWsIENC8X4nMi5cRGdZxWDxo ogSYKhsHXkBUPRMqk2phSpzVB1XDht5mwtlZYq1Oq5+c9JCjRtpg/1EnqgMAQARr H3L4p8hCRLBrbcYUMEdf+ijyGPaXQ1Z8386ski30g+N2R1VgFFevVoz33JO8H9FB jg74MkGumOtb1LzHtWSNBUlcXbsZk9v9hNrHV1w3myFDIY6WxOX/jLHLt+/QO2KL ss2vLLwTvzlT8z1hkqH554f5a+DXoaFLXFEKHgYxdHNDQD3T+IoTjEdCU+GNlrpu DyYfUYxwQP7qXlyBEp3cjcCIY6a1OJNrLrxj3DY1h9Zba9CxpcjnzLW15O/+zLjH s2Q2+jokDa6JXsF/G8hXvQTZ+5dCEKZJkRXhk3SZi7f0xp3BOlVokjn6a1hIa9kU izgDrjb1Tzw+qmDAvBdIANTXuzoGpDoRMTVWpIM1SxWXc5STuaTnmH5L1eRUgrJq aB9LiCoKL2AnItH4vhkfwo0n84iWRPgLx/QlrE/mMw39kGZwSLU= =VVoY -----END PGP SIGNATURE----- --Yc5aUcvycYav8R41du61NdBPnoNoh6wES--