Performance improvement for NAT in IPFIREWALL

Julian Elischer julian at elischer.org
Wed Jul 2 18:26:17 PDT 2003 


On Thu, 3 Jul 2003, Clement Laforet wrote:

> Hi,
> 
> On Wed, 2 Jul 2003 18:39:42 -0500 (CDT)
> Mike Silbersack <silby at silby.com> wrote:
> 
> > > Comments? Suggestions? Vision?
> > 
> > If you have some time to throw at the problem, you might consider
> > using gprof on natd in order to determine what exactly about natd is
> > slow.  As is commonly mentioned, the kernel <-> userspace switch is
> > probably one reason for natd's relative slowness, but I would bet that
> > a decent speedup could be achieved just by optimizing natd.  Heck, it
> > might be as simple as increasing the size of some hash tables or
> > buffers.
> > 
> > Tell us how it goes. :)
> 
> Few weeks ago, I've post a patch which impoves natd for INCOMING
> connections (and breaks some options), I ran gprof to find where
> natd and libalias lack of performance :
> 1. sendto(), recvfrom() [natd] an gettimeofday() [libalias] eat a lot of
> CPU
> 2. [libalias] hash tables for incoming pakets is VERY poor since the
> hash is based on alias address, it's mandatory for outgoing connections
> I think, but for incoming redirect, it eats a lot of time (47%
> according to gprof under heavy load), since the hash key is the same for
> all incoming packets.
> 3. expire mecanisms is too slow, having small tables under heavy load
> slows NAT'ing drastically. 
> I had best performance with
> #define LINK_TABLE_OUT_SIZE        4091
> #define LINK_TABLE_IN_SIZE         8123
> 4. matching might be improved to.
> 
> Better with tables dedicated to redirects ("only" ~50% of CPU time, for
> ~55Mbp/s on a PIII 700, 90% of this CPU time was used by syscalls). 
> 
> My 2cts...
> 
> If somebody cares, I'm currently writing an in-kernel && in-ipfw NAT to
> perform load balancing, if you have any suggestion, I'm all ears :)
> 

also make sure your rules say 
divert xxxx ip from any to [IPADRESS] in recv [interface]
and
divert xxxx ip from not [IPADDR] recv [inside-if] out xmit [interface]

to avoid sending packets to the NATd that have no possible reason to go
there..
All incoming nat'd packets are addressed to the local machine
All outgoing packets that should be nat'd are from somewhere else.
I've seen cases where thre is a lot of interference with NAT from other
traffic making natd do extra work for no reason..



> Regards,
> 
> clem
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-ipfw mailing list