IPFW with user-ppp's NAT

Ian Smith smithi at nimnet.asn.au
Mon Mar 17 03:11:37 UTC 2008

On Sun, 16 Mar 2008 18:20:12 +0100 (CET)
 Wojciech Puchar <wojtek at wojtek.tensor.gdynia.pl> wrote:
 > >>
 > >> what's wrong in userland natd?
 > >
 > > Performance.  With userland natd, every packet that passes through natd
 > > must pass from kernel to userland (causing one context switch) and back
 > > again (causing another context switch).  This will be slower and use more
 > > CPU than doing it all inside the kernel, without any context switches.
 > true, anyway for my two 2Mbps symmetric connection (all for nat), and 
 > three 4/0.5Mbit connections (part for nat, mostly for squid) all natd 
 > processes takes at most 3 percent of single core (core2duo).

Sure.  And with my little 512/128k ADSL link, soon 1500/256, I doubt you
could even measure the difference.  I haven't seen any comparative data
on high-performance boxes but as Erik points out, it may be significant. 

Just to make it clear, my point was that one reason for deprecating ipfw
is out the door, and that its development is ongoing.  I see rc.firewall
has had a recent facelift too, including a stateful 'workstation' type. 

(Sorry that our ancient mail setup blocked your mail; hopefully fixed.)

cheers, Ian

More information about the freebsd-questions mailing list