Date: Wed, 02 Jul 2003 11:44:14 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: Barney Wolff <barney@databus.com> Cc: freebsd-net@freebsd.org Subject: Re: Performance improvement for NAT in IPFIREWALL Message-ID: <3F0327FE.3030609@tenebras.com> In-Reply-To: <20030702183838.GB4179@pit.databus.com> References: <3F0316DE.3040301@tenebras.com> <20030702183838.GB4179@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Barney Wolff wrote: > NAT is not a security feature, Many would disagree with that assertion. > and should be used only where it is > actually necessary to translate addresses, and as far towards the edge > as possible. This is typically where firewalls are found. > If you believe you need to NAT at even 1Gb, I'd look > very hard at the requirements. Sadly, requirements are often exogenous. > The performance hit on crossing the kernel-userspace boundary for natd > is inherent, apart from any code optimization that might be possible. Right, it's the copying of data that creates the ultimate barrier. Ruslan has suggested an analogue to divert that uses ng_ksocket. That might be promising. > But moving NAT into the kernel has great impact on kernel memory usage, > which needs much more care than in user space. NATs can be DoS'd, > and running out of kernel memory can be fatal. Stateful packet filters can be DoS'd.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F0327FE.3030609>