IPFW with user-ppp's NAT
cyberleo at cyberleo.net
Mon Mar 17 10:37:38 UTC 2008
Erik Trulsson wrote:
> On Sun, Mar 16, 2008 at 04:37:18PM +0100, Wojciech Puchar wrote:
>>> Frankly I'm a bit surprised that this hasn't been more widely heralded,
>>> as userland natd is often given as a reason to prefer other firewalls,
>> what's wrong in userland natd?
> Performance. With userland natd, every packet that passes through natd
> must pass from kernel to userland (causing one context switch) and back
> again (causing another context switch). This will be slower and use more
> CPU than doing it all inside the kernel, without any context switches.
Online reconfiguration. Userland natd requires a restart (and a loss of
all nat state information) when you want to change forwarded ports and
such, whereas the in-kernel NAT engines (in ipf and pf, at least)
support reconfiguration without flushing state. To a large extent, at least.
<CyberLeo at CyberLeo.Net>
Furry Peace! - http://wwww.fur.com/peace/
More information about the freebsd-questions