port-i386: Re: NAT Alternatives to IPF!

Subject: Re: NAT Alternatives to IPF!
To: Alicia da Conceicao <alicia@internetpaper.com>
From: Greg A. Woods <woods@most.weird.com>
List: port-i386
Date: 10/26/1998 23:32:25
[ On Mon, October 26, 1998 at 11:21:35 (+0000), Alicia da Conceicao wrote: ]
> Subject: NAT Alternatives to IPF!
>
> There has to be a decent (FAST & SECURE) alternative to IPF (ipfilter) that
> can do fast one way NAT (network address translation) from non-routable IP
> space (10.x.x.x) to a single real IP number (from PPP or ethernet).

I'd suggest that you first speak to Darren Reed, ipfilter's author,
about the issues involved.  It's not all that simple a problem and from
my experience ipfilter does about as good a job as is possible.

Also from my experience Darren is quite aware of performance issues.  He
or others on the ipfilter mailing list may have some advice as to how to
speed things up.

Other than that I think your time would probably be better spend
profiling the performance of ipfilter's NAT code and trying to optimize
what it's doing rather than trying to re-invent this particularly
complex and many-faceted wheel.

>      I would appreciate hearing about any possible NAT alternatives for
> NetBSD, and if they don't exist, maybe the possibility of building one,
> similar to what I described.  It sounds like there are a lot of other
> NetBSD users who are unhappy with IPF.

I don't know of anything else that'll exceed ipfilter's performance, at
least not that can be used in/on a freely available *BSD.

The natd(8) that's in FreeBSD cannot possibly [by definition of the way
it works] exceed ipfilter's performance since it relies on the divert(4)
and ipfw(8) facilities to pass packets up to a user-level daemon which
must them modify them and pass them back down into the kernel.  That's a
whole heck of a lot of data copying through the kernel/user interface!
(I suppose it might be possible to do this in a zero-copy manner, but
that's not the way of FreeBSD's divert(4) so far as I know.)

See http://www.freebsd.org/cgi/man.cgi?manpath=FreeBSD+3.0-current if
you're interested in finding out more about it....

BTW, IPFW from FreeBSD is based on sofware originally written by Daniel
Boulet <danny@BouletFermat.ab.ca>, and since heavily modified and
integrated directly into FreeBSD.  Once upon a time it wasn't
commercially re-distributable -- at the time I was looking at it to
build a gateway machine had to choose ipfilter instead -- and I've never
looked back!.  Even today I'd still rather integrate ipfilter into
FreeBSD than use IPFW.  Since NetBSD has ipfilter already integrated
there's no question as to which to choose!  ;-)

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>