Date: Mon, 23 Oct 2006 12:26:36 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Brett Glass <brett@lariat.net> Cc: Julian Elischer <julian@elischer.org>, net@freebsd.org Subject: Re: Avoiding natd overhead Message-ID: <20061023122636.B89538@xorpc.icir.org> In-Reply-To: <200610231850.MAA12253@lariat.net>; from brett@lariat.net on Mon, Oct 23, 2006 at 12:50:05PM -0600 References: <200610210648.AAA01737@lariat.net> <453AEA86.4070103@elischer.org> <200610220414.WAA15541@lariat.net> <453AF1BB.7070507@elischer.org> <200610231850.MAA12253@lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 23, 2006 at 12:50:05PM -0600, Brett Glass wrote: > At 10:21 PM 10/21/2006, Julian Elischer wrote: > > >OR in 7.0 you can call netgraph directly > > > >there is a netgraph keyword in ipfw. > > I just took a look at that. Could work, except that the ng_nat > Netgraph node only does very basic NAT. One can't do static NAT, > and none of natd's other options are accessible. there is another part of paolo's work that adds the 'nat' keyword to ipfw. Even if not merged, i think it is available as a patch, right paolo ? > Whilst perusing the code, I also noticed that libalias expects all > packets to be in a single contiguous buffer. This means that ng_nat > doesn't get rid of one of the big inefficiencies involved in the > use of natd: the need to make a copy of the mbuf chain containing the copy may have been a problem 20 or even 10 years ago. These days, with huge memory bandwidths and because of the effect of burst access to memory, i would be surprised if the memcopy overhead were anything significant. Yes, you trash the cache a bit, but on the other hand you bring early in-cache the fields you need to inspect. The real performance issue with divert is the system call. Next, I'd also check if there is a scalability issue related to inefficient data structures. cheers luigi > the packet to ensure contiguity. (This is an issue with anything > that uses divert sockets, but it creeps in with ng_nat as well due > to the way libalias is coded.) Using a Netgraph node would help > with the ring transition, though, so there should be some savings. > Has the "netgraph" keyword been MFCed? > > --Brett Glass > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061023122636.B89538>