NAT is not a security feature,
Many would disagree with that assertion.
and should be used only where it is
actually necessary to translate addresses, and as far towards the edge
as possible.
This is typically where firewalls are found.
If you believe you need to NAT at even 1Gb, I'd look very hard at the requirements.
Sadly, requirements are often exogenous.
The performance hit on crossing the kernel-userspace boundary for natd is inherent, apart from any code optimization that might be possible.
Right, it's the copying of data that creates the ultimate barrier. Ruslan has suggested an analogue to divert that uses ng_ksocket. That might be promising.
But moving NAT into the kernel has great impact on kernel memory usage, which needs much more care than in user space. NATs can be DoS'd, and running out of kernel memory can be fatal.
Stateful packet filters can be DoS'd.
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
