natd slow, eats up an entire CPU...
Ian Smith
smithi at nimnet.asn.au
Tue Nov 29 06:25:40 UTC 2011
On Tue, 29 Nov 2011 00:22:04 +0700, Eugene Grosbein wrote:
> Cc: eivind at dimaga.com, cm at linktel.net, archie at whistle.com,
> brian at awfulhak.org, suutari at iki.fi, net at freebsd.org,
> Eugene Grosbein <eugen at grosbein.net>
I've trimmed ccs except net@, feel free to re-add if desired.
> On Mon, Nov 28, 2011 at 12:12:52PM -0500, Mikhail T. wrote:
>
> > >Do not use natd, use ipfw nat instead - it uses the same libalias
> > >but completely in kernel and avoids gigantic natd overhead.
> > I guess, I'll have to research this new method... But I don't recall this
> > being a problem with FreeBSD-7.x -- are there some known regressions in
> > natd from 8.x?
I'm not sure, I recall seeing another problem apparently similar not
long ago (100% on one CPU for natd) but can't find it now, and am not
sure it turned out to be a natd problem or a config issue. Anyway, if
you update to ipfw nat and the issue goes away, you'd know soon enough.
> I do not know since there is no reason in using natd with 8.2-STABLE
> where it supports nearly all natd's features including multiple
> NAT instances and shared translation tables.
Yes. There are still a couple of issues regarding rc.firewall 'simple'
and the /etc/rc.d scripts to do with natd vs ipfw nat, especially where
both are enabled, that I offered patches for in these:
http://lists.freebsd.org/pipermail/freebsd-ipfw/2011-January/004500.html
http://lists.freebsd.org/pipermail/freebsd-ipfw/2011-January/004509.html
but due to health, relocation and slackness issues, never followed up in
the correct manner re PRs. I see there've been no subsequent changes to
these scripts on cvsweb, so you (Mikhail) could apply these for your
basis of the rc.firewall 'simple' ruleset, but it's likely enough to be
sure to remove natd_enable from rc.conf when adding firewall_nat_enable,
and using the ipfw nat syntax for open and client as an example.
If you find the ipfw nat section of ipfw(8) a little sparse, you can
still use natd(8) as a reference, modulo the slight changes in terms.
cheers, Ian
More information about the freebsd-net
mailing list