Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 17 May 2017 16:27:48 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 219316] Wildcard matching of ipfw flow tables
Message-ID:  <bug-219316-8-Jxidn1giK4@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-219316-8@https.bugs.freebsd.org/bugzilla/>
References:  <bug-219316-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219316

--- Comment #7 from lutz@donnerhacke.de ---
# ipfw show
00100 228070727002 277397011152705 nat tablearg ip4 from any to any flow
table(natin) recv ext in
00200 247814016293  35467809536790 nat tablearg ip4 from any to any flow
table(natout) xmit ext out

# cat /etc/firewall.rules
nat 1 config ip a.b.c.48 same_ports
nat 2 config ip a.b.d.48 same_ports
...
nat 127 config ip x.y.z.46 same_ports
nat 128 config ip x.y.z.47 same_ports

table natin create type flow:dst-ip valtype nat
table natin setmask 255.255.255.255
table natin add a.b.c.48 1
table natin add a.b.d.48 2
...
table natin add x.y.z.46 127
table natin add x.y.z.47 128

table natout create type flow:src-ip valtype nat
table natout setmask 255.192.0.127
table natout add 100.64.0.0 1
table natout add 100.64.0.1 2
...
table natout add 100.64.0.126 127
table natout add 100.64.0.127 128


There are multiple machines doing this (with different NAT IPs)

I'm going to extend the flow in the following way in order to reuse the por=
ts
much more:

table natin create type flow:src-ip,proto,src-port,dst-ip valtype nat
table natin setmask 0.0.15.0,1,3,255.255.255.255

table natout create type flow:src-ip,proto,dst-ip,dst-port valtype nat
table natout setmask 255.192.0.127,1,0.0.15.0,3

Yes, this generates 128 (NAT-IPs) * 2 (Protocol) * 16 (dest-ip) * 4 (dest-p=
ort)
=3D  16384 NAT tables.

Depending on the available RAM, I'll extent the masks further.

But I do need a different NAT table selection algorithm for this approach, =
the
current linked list needs to be replaced by a much more efficient access
scheme. I'll send this patch later.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-219316-8-Jxidn1giK4>