Plan 9 does need one extra connection per client and a process (or
two?) to do the export. I think Eris is saying that this makes Plan
9's resource requirements grow with the number of hosts behind the
gateway -- not just with the number of connections through it like
Linux. You're right, Eris, but I think you're missing the point:
importing /net gives you all the features you'd want from NAT (and
some it doesn't give you) without a single line of code specifically
written to make it happen. It isn't an example of how you can handle
the most clients with the least hardware. It's an example of how a
good design can give you features without having to code each one
individually.
Very well said. This posting summarizes what's been going on:
1. Generality is good.
2. Generality costs.
3. Depending upon circumstances the costs of generality may or may not
entirely overshadow its benefits.
4. The application should determine choices of software. No solution fits
all.
5. If you need NAT weigh the options of doing it. It may turn out that
importing /net is the best choice for your application. Or it may turn out
otherwise. /net has a raison d'etre--regular NAT, too.
--On Saturday, November 15, 2008 2:13 PM -0800 Micah Stetson
<[EMAIL PROTECTED]> wrote:
I'm unclear as to what "amount of state" iptables needs to keep
After you do something like:
# iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE
the Linux kernel module called nf_conntrack starts allocating
data structures to do its job. I'll leave it up to you to see how much
memory gets wasted on each connection. Here's a hint,
though: /proc/net/nf_conntrack
I don't think Plan 9 is keeping any less state, is it? As far as the
gateway is concerned, all of the connections from machines importing
its /net are the same as connections from local programs. The TCP/IP
stack has to keep track of those, but Plan 9 doesn't need separate
connection tracking code for that because it's handled like any other
connection.
Plan 9 does need one extra connection per client and a process (or
two?) to do the export. I think Eris is saying that this makes Plan
9's resource requirements grow with the number of hosts behind the
gateway -- not just with the number of connections through it like
Linux. You're right, Eris, but I think you're missing the point:
importing /net gives you all the features you'd want from NAT (and
some it doesn't give you) without a single line of code specifically
written to make it happen. It isn't an example of how you can handle
the most clients with the least hardware. It's an example of how a
good design can give you features without having to code each one
individually.
Micah
