natd slow, eats up an entire CPU...

Mikhail T. mi at aldan.algebra.com
Mon Nov 28 05:17:12 UTC 2011 

Hello!

I recently upgraded a friend's computer to 8.2-STABLE and
we are noticing some network performance problems...

In particular, when a large file is being uploaded outside
(via scp), two weird things happen:

	1. Although it begins with a transfer rate of over 2Mb/s
	   (as reported by scp itself), it quickly drops down to
	   10-15Kb/s and even completely stalls on occasion.
	2. natd can be seen (in top) as chewing up an entire CPU
	   (one of the four 1.8GHz Opterons).

Although the first problem can be explained by some sort of attempts
by an ISP to throttle long large file-transfers, I don't have an
easy explanation for the second...

If I flush the ipfw-rules, the natd disappears from top's list and
the transfer speeds up to about 260Kb/s (still nowhere near the
initial 2Mb/s, but much higher than the 10-15Kb/s).

There are two network cards in the machine: nfe0 (external) and bge0
(internal). There is no IPv6 in the picture (world is built with
NO_INET6).

The daemon is running as:

	/sbin/natd -redirect_port tcp natasha:ssh 23 -redirect_port tcp isp.mail.ser.ver:smtp 2525 -dynamic -n nfe0

The ipfw rules are derived from the "simple" firewall:

	00100 allow ip from any to any via lo0
	00200 deny ip from any to 127.0.0.0/8
	00300 deny ip from 127.0.0.0/8 to any
	00400 deny ip from 192.168.1.0 to any in via nfe0
	00500 deny ip from any to 10.0.0.0/8 via nfe0
	00600 deny ip from any to 172.16.0.0/12 via nfe0
	00700 deny ip from any to 192.168.0.0/16 via nfe0
	00800 deny ip from any to 0.0.0.0/8 via nfe0
	00900 deny ip from any to 169.254.0.0/16 via nfe0
	01000 deny ip from any to 192.0.2.0/24 via nfe0
	01100 deny ip from any to 224.0.0.0/4 via nfe0
	01200 deny ip from any to 240.0.0.0/4 via nfe0
	01300 deny ip from not one.special.foreign.ip to any dst-port 2525
	01400 divert 8668 ip4 from any to any via nfe0
	01500 deny ip from 10.0.0.0/8 to any via nfe0
	01600 deny ip from 172.16.0.0/12 to any via nfe0
	01700 deny ip from 192.168.0.0/16 to any via nfe0
	01800 deny ip from 0.0.0.0/8 to any via nfe0
	01900 deny ip from 169.254.0.0/16 to any via nfe0
	02000 deny ip from 192.0.2.0/24 to any via nfe0
	02100 deny ip from 224.0.0.0/4 to any via nfe0
	02200 deny ip from 240.0.0.0/4 to any via nfe0
	02300 allow tcp from any to any established
	02400 allow ip from any to any frag
	02500 allow tcp from any to me dst-port 22 setup
	02600 allow tcp from any to me dst-port 25 setup
	02700 allow tcp from any to me dst-port 53 setup
	02800 allow udp from any to me dst-port 53
	02900 allow udp from me 53 to any
	03000 allow tcp from any to me dst-port 80 setup
	03100 allow tcp from any to me dst-port 2875-3000 setup
	03200 deny log logamount 100 ip4 from any to any in via nfe0 setup proto tcp
	03300 allow tcp from any to any setup
	03400 allow udp from me to any dst-port 53 keep-state
	03500 allow udp from me to any dst-port 123 keep-state

Please, advise. Thanks! Yours,

	-mi

More information about the freebsd-net mailing list