Avoiding natd overhead
Matthew D. Fuller
fullermd at over-yonder.net
Sat Oct 21 09:58:11 UTC 2006
On Sat, Oct 21, 2006 at 12:47:54AM -0600 I heard the voice of
Brett Glass, and lo! it spake thus:
>
> How can I replace just the functionality of natd without moving to
> an entirely new firewall? Can I still select which packets are
> routed to the NAT engine, and when this occurs during the processing
> of the packet?
Paolo Pisati's 2005 SoC work on integrating libalias into ipfw might
fit here. It should move the NAT'ing into the kernel and save all the
context switches and copies, and (what has me more interested) make it
much easier to change port forwarding and other rules. The worst
thing about natd for me isn't performance, it's that I have to blow
away all the state to change anything.
I think some of the support has been brought in, at least to -CURRENT,
but I'm not sure, and I'm pretty sure it isn't in RELENG_6 or earlier.
Paolo?
--
Matthew Fuller (MF4839) | fullermd at over-yonder.net
Systems/Network Administrator | http://www.over-yonder.net/~fullermd/
On the Internet, nobody can hear you scream.
More information about the freebsd-net
mailing list