From owner-freebsd-net Sun Jan 27 10: 0:32 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 5E16637B400 for ; Sun, 27 Jan 2002 10:00:10 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020127180010.FUPS26243.rwcrmhc51.attbi.com@InterJet.elischer.org>; Sun, 27 Jan 2002 18:00:10 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id JAA42051; Sun, 27 Jan 2002 09:50:30 -0800 (PST) Date: Sun, 27 Jan 2002 09:50:29 -0800 (PST) From: Julian Elischer To: Andre Oppermann Cc: Matthew Emmerton , Clemens Hermann , BSD NET-List Subject: Re: natd restart In-Reply-To: <3C543C2F.970F0375@pipeline.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You can also add rules that allow packets that are going over the INTERNAL interface to skip the NAT divert rules. then you'd only be doing it once. On Sun, 27 Jan 2002, Andre Oppermann wrote: > Matthew Emmerton wrote: > > > > > Am 27.01.2002 um 02:11:30 schrieb Matthew Emmerton: > > > > > > Hi Matt, > > > > > > > Here's the patch that I wrote some time ago. > > > > > > thanks a lot! > > > Did you send-pr the patch? It seems quite necessary to be added. > > > > Not yet. One of the things that I don't like about this patch is that old > > rules still stay around (re-reading the configuration will only modify > > existing rules and add new rules.) I'm also taking a lot of flak on my side > > of the fence since NAT runs as a userland process, so every packet gets > > copied between the kernel and userland twice (once on the way in, once on > > the way out.) Apparently Linux doesn't do this. > > > > I'm looking at making natd into a kernel option ("options IPNAT") and using > > a combination of sysctls and a front-end program to manage how nat operates, > > much like "options IPFIREWALL" and ipfw works today. > > Have a look at IPFILTER where IPNAT is part of. It does everything in > the kernel. > > > This (in my mind) should greatly enhance the throughput of FreeBSD's NAT and > > keep those Linux people from bashing us (or me, at least.) > > Profile, don't speculate. On today's machines you don't notice any > difference between userland vs. kernel NAT. I've tested FreeBSD's > userland natd and it could easily push 93Mbit/s through a Athlon- > 1.4GHz (which is essentially wirespeed (FreeBSD 4.3)) with two fxp > cards. > > -- > Andre > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message