Avoiding natd overhead
Brett Glass
brett at lariat.net
Mon Oct 23 18:50:45 UTC 2006
At 10:21 PM 10/21/2006, Julian Elischer wrote:
>OR in 7.0 you can call netgraph directly
>
>there is a netgraph keyword in ipfw.
I just took a look at that. Could work, except that the ng_nat
Netgraph node only does very basic NAT. One can't do static NAT,
and none of natd's other options are accessible.
Whilst perusing the code, I also noticed that libalias expects all
packets to be in a single contiguous buffer. This means that ng_nat
doesn't get rid of one of the big inefficiencies involved in the
use of natd: the need to make a copy of the mbuf chain containing
the packet to ensure contiguity. (This is an issue with anything
that uses divert sockets, but it creeps in with ng_nat as well due
to the way libalias is coded.) Using a Netgraph node would help
with the ring transition, though, so there should be some savings.
Has the "netgraph" keyword been MFCed?
--Brett Glass
More information about the freebsd-net
mailing list