[Bug 219316] Wildcard matching of ipfw flow tables
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat May 20 15:52:35 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219316
--- Comment #9 from Julian Elischer <julian at FreeBSD.org> ---
(In reply to lutz from comment #0)
>For Carrier Grade NAT environments any simple NAT table selection is not usable:
>
>1) Large Scale NAT violates the happy eyeball requirement, that a given client
> should always use the same external IP while communicating to a given service.
On what timescale? Forever? If a client is idle for 5 minutes (no sessions) can
it start using a new IP?
>
>2) Mapping all customers to a single IP does not work either, because there
> are too much connections originating by those customers.
How may remote addresses are you talking too?
You can reuse the same address and port to may different remote addresses..
>
> Consequently a deterministically selected group of clients has to share the
> same NAT table using a single external IP. A typical approach is to use
> wildcards to match the right NAT instance:
you just said that "Mapping all customers to a single IP does not work .."
and yet that is what you show here.. Am I misreading it?
How many clients are we talking about here? 10? 100? 1000? 10K? 100K? 1M?
and are these clients all on separate hardware? or are they coming from a small
number of session aggregator machines?
>
> add 2100 nat 100 ipv4 from 100.64.0.0:255.192.0.63 to any xmit ext out
> add 2101 nat 101 ipv4 from 100.64.0.1:255.192.0.63 to any xmit ext out
> add 2102 nat 102 ipv4 from 100.64.0.2:255.192.0.63 to any xmit ext out
> ...
>
> This approach is inefficient, tables could help. But tables does not support
> wildcard masking of lookup data. With such an wildcard mask, especially the
> flow tables could greatly improve performance.
I don't quite understand this bit
my memory is that you can have a table
100.64.0.0:255.192.0.63 0
100.64.0.1:255.192.0.63 1
100.64.0.2:255.192.0.63 2
... etc
followed by
nat tablearg ip from table (x) to any out xmit XX0
now getting the return packets back to the same NAT instance could be a
challenge depending on what the NAT does but it should be possible if each NAT
uses a different address as you suggest.
what am I missing?
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ipfw
mailing list