Avoiding natd overhead
Vladimir Grebenschikov
vova at fbsd.ru
Sat Oct 21 09:54:58 UTC 2006
В сб, 21/10/2006 в 00:47 -0600, Brett Glass пишет:
> I'm working with a FreeBSD-based router that's using IPFW for
> policy routing, traffic shaping, and transparent proxying and natd
> for network address translation. IPFW does these things pretty well
> (in fact, I don't know if another firewall, like pf, could even do
> some of these things I'm doing with IPFW), but natd is by far the
> most CPU-intensive process on the system and is causing it to
> crumple like a wet towel under heavy loads. How can I replace just
> the functionality of natd without moving to an entirely new
> firewall? Can I still select which packets are routed to the NAT
> engine, and when this occurs during the processing of the packet?
Problem is in location of natd functionality.
So, every packet which goes through nat should jump from kernel to
user-space and back. It is really takes a lot of resources.
Solutions:
1. use PF for nat - it does aliasing in kernel space
2. use in-kernel libalias implementation
(I guess man-page for ng_nat(4) will help)
> --Brett Glass
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
--
Vladimir B. Grebenschikov
vova at fbsd.ru
More information about the freebsd-net
mailing list