Date: Sat, 21 Oct 2006 13:54:53 +0400 From: Vladimir Grebenschikov <vova@fbsd.ru> To: Brett Glass <brett@lariat.net> Cc: net@freebsd.org Subject: Re: Avoiding natd overhead Message-ID: <1161424493.1489.10.camel@localhost> In-Reply-To: <200610210648.AAA01737@lariat.net> References: <200610210648.AAA01737@lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
=F7 =D3=C2, 21/10/2006 =D7 00:47 -0600, Brett Glass =D0=C9=DB=C5=D4:
> I'm working with a FreeBSD-based router that's using IPFW for=20
> policy routing, traffic shaping, and transparent proxying and natd=20
> for network address translation. IPFW does these things pretty well=20
> (in fact, I don't know if another firewall, like pf, could even do=20
> some of these things I'm doing with IPFW), but natd is by far the=20
> most CPU-intensive process on the system and is causing it to=20
> crumple like a wet towel under heavy loads. How can I replace just=20
> the functionality of natd without moving to an entirely new=20
> firewall? Can I still select which packets are routed to the NAT=20
> engine, and when this occurs during the processing of the packet?
Problem is in location of natd functionality.
So, every packet which goes through nat should jump from kernel to
user-space and back. It is really takes a lot of resources.
Solutions:
1. use PF for nat - it does aliasing in kernel space
2. use in-kernel libalias implementation=20
(I guess man-page for ng_nat(4) will help)
> --Brett Glass
>=20
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
--=20
Vladimir B. Grebenschikov
vova@fbsd.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1161424493.1489.10.camel>