Date: Wed, 18 Mar 2020 21:14:45 -0700 From: Neel Chauhan <neel@neelc.org> To: lev@freebsd.org Cc: Kristof Provost <kp@freebsd.org>, freebsd-net@freebsd.org Subject: Re: IPFW In-Kernel NAT vs PF NAT Performance Message-ID: <55dbea1fe75777780be166756c7641e8@neelc.org> In-Reply-To: <cb87cc92-59ff-119e-be43-41d51b94f7e9@FreeBSD.org> References: <fc638872b9bdf14c13e2d6c13e698d1e@neelc.org> <F154BCBA-4079-48CA-ACE9-F01FBCBD53D0@FreeBSD.org> <cb87cc92-59ff-119e-be43-41d51b94f7e9@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for telling me this. I switched to PF and it performs better. However, if you know, where in the code does libalias use only 4096 buckets? I want to know incase I want/have to switch back to IPFW. -Neel On 2020-03-18 07:25, Lev Serebryakov wrote: > On 18.03.2020 9:17, Kristof Provost wrote: > >>> Which firewall gives better performance, IPFW's In-Kernel NAT or PF >>> NAT? I am dealing with 1000s of concurrent connections but >>> browsing-level-bandwidth at once with Tor. >>> >> I’d expect both ipfw and pf to happily saturate gigabit links with >> NAT, even on quite modest hardware. >> Are you sure the NAT code is the bottleneck? > ipfw nat is very slow, really. There are many reasons, and one of them > (easy fixable, but you need patch sources and rebuild kernel/module) is > that `libalias` uses only 4096 buckets in state hashtable by default. > So > it could saturate 1GBps link if you have 10 TCP connections, but it > could not saturate 100Mbit if your have, say, 100K UDP streams. > > I don't know about pf nat.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55dbea1fe75777780be166756c7641e8>