Avoiding natd overhead
Brett Glass
brett at lariat.net
Sat Oct 21 22:08:36 UTC 2006
At 03:54 AM 10/21/2006, Vladimir Grebenschikov wrote:
> 1. use PF for nat - it does aliasing in kernel space
True, but it doesn't let me translate the packets and
then continue processing within the firewall -- which
is necessary if you want to catch unregistered destination
addresses BEFORE translation and then unregistered source
addresses AFTER translation.
> 2. use in-kernel libalias implementation
> (I guess man-page for ng_nat(4) will help)
Same problem. I don't know how I could send packets
through a Netgraph node in the middle of processing
by IPFW and then bring them back at the next rule.
I suppose that one solution might be, for lack of a
better term, a "kernel divert socket," which would
pass packets through a kernel module rather than a
user process. (This could actually be used to speed
up many things for which the current "userland"
divert sockets are now used.) It would then be
possible to make a "nat.ko" module, and either
provide a utility to control it or roll that
functionality into ipfw(8).
--Brett
More information about the freebsd-net
mailing list