Date: Thu, 9 Oct 2003 10:07:03 -0400 From: Kenneth Culver <culverk@sweetdreamsracing.biz> To: Vector <freebsd@itpsg.com> Cc: current@freebsd.org Subject: Re: ipnat memory leak? Message-ID: <1065708423.752rpf5i638c@www.sweetdreamsracing.biz> In-Reply-To: <003001c38e32$87214780$f501a8c0@VECTOR> References: <008401c38e21$0eb936b0$6afea8c0@VECTOR> <002101c38e2a$fda426f0$8d00a8c0@marcos1> <003001c38e32$87214780$f501a8c0@VECTOR>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Vector <freebsd@itpsg.com>: > Several reasons: > > Having it in the kernel improves performance It also avoids at least 2 context switches per packet... one when the packet goes into natd and one when it goes back to the kernel. > > natd chokes on the latest windoze worms and I have implemented some DoS > prevention/worm protection in ipnat but I'm seeing this memory leak without > my improvements there at all. > > If it's in the kernel, ipnat is kept under control when natd would normally > be sucking the CPU dry and preventing things like remote logins, very > slugish updates, etc... > > and others I don't particularly want to go into at the moment. > > vec > Not to mention the syntax for doing things like stateful firewalling is much more sane, and the fact that you can view the firewall state-table in near real-time using ipfstat -t (top style viewing). Ken
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1065708423.752rpf5i638c>