On Nov 15, 2008, at 3:21 AM, Eris Discordia wrote:
Exactly! An idle TCP connection costs you nothing except the state
that
Would you mind reading my response, too, and then informing me of
your opinion?
It would be helpful if you can quote exactly the part on which you are
requesting
my opinion.
Not only that, but if you look at the amount of state something like
iptables on Linux needs to keep in order to provide NAT
capabilities it
becomes a complete toss.
You seem to be extremely out of the field
What field?
with respect to what iptables does and how normal NAT is implemented
on a *BSD system (which was my example).
I have no knowledge of how NAT is implemented on a *BSD system and thus
I can not comment. I am only familiar with Linux implementation. Thus
if that's
not what you're interested in discussing -- lets stop right now.
Iptables provides very sophisticated routing and filtering
capabilities. It's used as a back-end for stateful inspection,
packet rewriting, logging, routing, intrusion detection, and
firewalling applications. That's NAT... plus one million other
applications.
Yes. And that's the NAT that *I* and a million Linux lemming out there
are familiar with.
Arguing that your OS can do that in a simpler way is as useful as
trying to convince
Windows users to migrate to Linux 'en masse.
I'm unclear as to what "amount of state" iptables needs to keep
After you do something like:
# iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE
the Linux kernel module called nf_conntrack starts allocating
data structures to do its job. I'll leave it up to you to see how much
memory gets wasted on each connection. Here's a hint,
though: /proc/net/nf_conntrack
that makes imported /net a "complete toss" assuming you can
magically make /net provide the same functionality netfilter does.
I have no clue what netfilter does, thus I can't answer your question.
I thought the original discussion was dedicated to comparing an
overhead that the general
purpose NAT box has with an overhead of a Plan9 box from which /net
was imported.
Since I haven't seen specifics I gave the example of a typical Linux
NAT built using
iptables. That's the area I'm familiar with. If you're interested in
something else -- there
are others on the list who might have an opinion.
Also, neither you nor anyone else have addressed the question of
port forwarding using an imported /net.
Define port forwarding. And I really mean it: define. Then I can may
be offer a bit of functionality
on Plan9 that would be capable of fitting your definition.
Thanks,
Roman.
