[Bug 219316] Wildcard matching of ipfw flow tables

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219316

            Bug ID: 219316
           Summary: Wildcard matching of ipfw flow tables
           Product: Base System
           Version: 11.0-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: lutz at donnerhacke.de

For Carrier Grade NAT environments any simple NAT table selection is not
usable:

1) Large Scale NAT violates the happy eyeball requirement, that a given client
should always use the same external IP while communicating to a given service.

2) Mapping all customers to a single IP does not work either, because there are
too much connections originating by those customers.

Consequently a deterministically selected group of clients has to share the
same NAT table using a single external IP. A typical approach is to use
wildcards to match the right NAT instance:

add 2100 nat 100 ipv4 from 100.64.0.0:255.192.0.63 to any xmit ext out
add 2101 nat 101 ipv4 from 100.64.0.1:255.192.0.63 to any xmit ext out
add 2102 nat 102 ipv4 from 100.64.0.2:255.192.0.63 to any xmit ext out
...

This approach is inefficient, tables could help. But tables does not support
wildcard masking of lookup data. With such an wildcard mask, especially the
flow tables could greatly improve performance.

-- 
You are receiving this mail because:
You are the assignee for the bug.