[Bug 219316] Wildcard matching of ipfw flow tables
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed May 17 16:27:48 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219316
--- Comment #7 from lutz at donnerhacke.de ---
# ipfw show
00100 228070727002 277397011152705 nat tablearg ip4 from any to any flow
table(natin) recv ext in
00200 247814016293 35467809536790 nat tablearg ip4 from any to any flow
table(natout) xmit ext out
# cat /etc/firewall.rules
nat 1 config ip a.b.c.48 same_ports
nat 2 config ip a.b.d.48 same_ports
...
nat 127 config ip x.y.z.46 same_ports
nat 128 config ip x.y.z.47 same_ports
table natin create type flow:dst-ip valtype nat
table natin setmask 255.255.255.255
table natin add a.b.c.48 1
table natin add a.b.d.48 2
...
table natin add x.y.z.46 127
table natin add x.y.z.47 128
table natout create type flow:src-ip valtype nat
table natout setmask 255.192.0.127
table natout add 100.64.0.0 1
table natout add 100.64.0.1 2
...
table natout add 100.64.0.126 127
table natout add 100.64.0.127 128
There are multiple machines doing this (with different NAT IPs)
I'm going to extend the flow in the following way in order to reuse the ports
much more:
table natin create type flow:src-ip,proto,src-port,dst-ip valtype nat
table natin setmask 0.0.15.0,1,3,255.255.255.255
table natout create type flow:src-ip,proto,dst-ip,dst-port valtype nat
table natout setmask 255.192.0.127,1,0.0.15.0,3
Yes, this generates 128 (NAT-IPs) * 2 (Protocol) * 16 (dest-ip) * 4 (dest-port)
= 16384 NAT tables.
Depending on the available RAM, I'll extent the masks further.
But I do need a different NAT table selection algorithm for this approach, the
current linked list needs to be replaced by a much more efficient access
scheme. I'll send this patch later.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list