Performance improvement for NAT in IPFIREWALL

[Michael Sierchio]

Currently, performance w/divert sockets and natd in ipfirewall
on a compute-bound platform (ELAN-133MHz) shows ipfw+natd throughput
to be 50% of that offered by ipfilter+ipnat.

Is there anything that can be done to speed up either the
performance of divert and natd?  Alternatively, could network
address translation be merged into ipfirewall?

As we move from 1000BASE-TX to 10000BASE-TX, this will become
more of an issue, even on 3GHz machines.

Comments? Suggestions? Vision?