Date: Mon, 17 Mar 2008 05:10:48 -0500 From: CyberLeo Kitsana <cyberleo@cyberleo.net> To: Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl>, Ian Smith <smithi@nimnet.asn.au>, Razmig K <strontium90@gmail.com>, Dan Nelson <dnelson@allantgroup.com>, freebsd-questions@freebsd.org Subject: Re: IPFW with user-ppp's NAT Message-ID: <47DE43A8.4020909@cyberleo.net> In-Reply-To: <20080316160317.GA35937@owl.midgard.homeip.net> References: <Pine.BSF.3.96.1080316193840.4307A-100000@gaia.nimnet.asn.au> <20080316163701.B14645@wojtek.tensor.gdynia.pl> <20080316160317.GA35937@owl.midgard.homeip.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Erik Trulsson wrote: > On Sun, Mar 16, 2008 at 04:37:18PM +0100, Wojciech Puchar wrote: >>> Frankly I'm a bit surprised that this hasn't been more widely heralded, >>> as userland natd is often given as a reason to prefer other firewalls, >> what's wrong in userland natd? > > Performance. With userland natd, every packet that passes through natd > must pass from kernel to userland (causing one context switch) and back > again (causing another context switch). This will be slower and use more > CPU than doing it all inside the kernel, without any context switches. Online reconfiguration. Userland natd requires a restart (and a loss of all nat state information) when you want to change forwarded ports and such, whereas the in-kernel NAT engines (in ipf and pf, at least) support reconfiguration without flushing state. To a large extent, at least. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net <CyberLeo@CyberLeo.Net> Furry Peace! - http://wwww.fur.com/peace/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47DE43A8.4020909>