IPFW In-Kernel NAT vs PF NAT Performance
Neel Chauhan
neel at neelc.org
Thu Mar 19 04:14:56 UTC 2020
Thanks for telling me this.
I switched to PF and it performs better.
However, if you know, where in the code does libalias use only 4096
buckets? I want to know incase I want/have to switch back to IPFW.
-Neel
On 2020-03-18 07:25, Lev Serebryakov wrote:
> On 18.03.2020 9:17, Kristof Provost wrote:
>
>>> Which firewall gives better performance, IPFW's In-Kernel NAT or PF
>>> NAT? I am dealing with 1000s of concurrent connections but
>>> browsing-level-bandwidth at once with Tor.
>>>
>> I’d expect both ipfw and pf to happily saturate gigabit links with
>> NAT, even on quite modest hardware.
>> Are you sure the NAT code is the bottleneck?
> ipfw nat is very slow, really. There are many reasons, and one of them
> (easy fixable, but you need patch sources and rebuild kernel/module) is
> that `libalias` uses only 4096 buckets in state hashtable by default.
> So
> it could saturate 1GBps link if you have 10 TCP connections, but it
> could not saturate 100Mbit if your have, say, 100K UDP streams.
>
> I don't know about pf nat.
More information about the freebsd-net
mailing list