From owner-freebsd-questions@FreeBSD.ORG  Mon Mar 17 10:37:38 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3EC051065676
	for <freebsd-questions@freebsd.org>;
	Mon, 17 Mar 2008 10:37:38 +0000 (UTC)
	(envelope-from cyberleo@cyberleo.net)
Received: from pizzabox.cyberleo.net (alpha.cyberleo.net [198.145.45.10])
	by mx1.freebsd.org (Postfix) with ESMTP id E3CD68FC2C
	for <freebsd-questions@freebsd.org>;
	Mon, 17 Mar 2008 10:37:37 +0000 (UTC)
	(envelope-from cyberleo@cyberleo.net)
Received: (qmail 17222 invoked from network); 17 Mar 2008 10:10:56 -0000
Received: from adsl-75-3-128-68.dsl.chcgil.sbcglobal.net (HELO ?172.16.44.14?)
	(cyberleo@cyberleo.net@75.3.128.68)
	by alpha.cyberleo.net with ESMTPA; 17 Mar 2008 10:10:56 -0000
Message-ID: <47DE43A8.4020909@cyberleo.net>
Date: Mon, 17 Mar 2008 05:10:48 -0500
From: CyberLeo Kitsana <cyberleo@cyberleo.net>
User-Agent: Thunderbird 2.0.0.12 (X11/20080309)
MIME-Version: 1.0
To: Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl>, 
	Ian Smith <smithi@nimnet.asn.au>,
	Razmig K <strontium90@gmail.com>, Dan Nelson <dnelson@allantgroup.com>, 
	freebsd-questions@freebsd.org
References: <Pine.BSF.3.96.1080316193840.4307A-100000@gaia.nimnet.asn.au>	<20080316163701.B14645@wojtek.tensor.gdynia.pl>
	<20080316160317.GA35937@owl.midgard.homeip.net>
In-Reply-To: <20080316160317.GA35937@owl.midgard.homeip.net>
X-Enigmail-Version: 0.95.6
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: Re: IPFW with user-ppp's NAT
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2008 10:37:38 -0000

Erik Trulsson wrote:
> On Sun, Mar 16, 2008 at 04:37:18PM +0100, Wojciech Puchar wrote:
>>> Frankly I'm a bit surprised that this hasn't been more widely heralded,
>>> as userland natd is often given as a reason to prefer other firewalls,
>> what's wrong in userland natd?
> 
> Performance.  With userland natd, every packet that passes through natd
> must pass from kernel to userland (causing one context switch) and back
> again (causing another context switch).  This will be slower and use more
> CPU than doing it all inside the kernel, without any context switches.

Online reconfiguration. Userland natd requires a restart (and a loss of 
all nat state information) when you want to change forwarded ports and 
such, whereas the in-kernel NAT engines (in ipf and pf, at least) 
support reconfiguration without flushing state. To a large extent, at least.

-- 
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<CyberLeo@CyberLeo.Net>

Furry Peace! - http://wwww.fur.com/peace/