Performance improvement for NAT in IPFIREWALL
Michael Sierchio
kudzu at tenebras.com
Wed Jul 2 11:44:18 PDT 2003
Barney Wolff wrote:
> NAT is not a security feature,
Many would disagree with that assertion.
> and should be used only where it is
> actually necessary to translate addresses, and as far towards the edge
> as possible.
This is typically where firewalls are found.
> If you believe you need to NAT at even 1Gb, I'd look
> very hard at the requirements.
Sadly, requirements are often exogenous.
> The performance hit on crossing the kernel-userspace boundary for natd
> is inherent, apart from any code optimization that might be possible.
Right, it's the copying of data that creates the ultimate barrier.
Ruslan has suggested an analogue to divert that uses ng_ksocket.
That might be promising.
> But moving NAT into the kernel has great impact on kernel memory usage,
> which needs much more care than in user space. NATs can be DoS'd,
> and running out of kernel memory can be fatal.
Stateful packet filters can be DoS'd.
More information about the freebsd-net
mailing list