https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219316
--- Comment #7 from l...@donnerhacke.de --- # ipfw show 00100 228070727002 277397011152705 nat tablearg ip4 from any to any flow table(natin) recv ext in 00200 247814016293 35467809536790 nat tablearg ip4 from any to any flow table(natout) xmit ext out # cat /etc/firewall.rules nat 1 config ip a.b.c.48 same_ports nat 2 config ip a.b.d.48 same_ports ... nat 127 config ip x.y.z.46 same_ports nat 128 config ip x.y.z.47 same_ports table natin create type flow:dst-ip valtype nat table natin setmask 255.255.255.255 table natin add a.b.c.48 1 table natin add a.b.d.48 2 ... table natin add x.y.z.46 127 table natin add x.y.z.47 128 table natout create type flow:src-ip valtype nat table natout setmask 255.192.0.127 table natout add 100.64.0.0 1 table natout add 100.64.0.1 2 ... table natout add 100.64.0.126 127 table natout add 100.64.0.127 128 There are multiple machines doing this (with different NAT IPs) I'm going to extend the flow in the following way in order to reuse the ports much more: table natin create type flow:src-ip,proto,src-port,dst-ip valtype nat table natin setmask 0.0.15.0,1,3,255.255.255.255 table natout create type flow:src-ip,proto,dst-ip,dst-port valtype nat table natout setmask 255.192.0.127,1,0.0.15.0,3 Yes, this generates 128 (NAT-IPs) * 2 (Protocol) * 16 (dest-ip) * 4 (dest-port) = 16384 NAT tables. Depending on the available RAM, I'll extent the masks further. But I do need a different NAT table selection algorithm for this approach, the current linked list needs to be replaced by a much more efficient access scheme. I'll send this patch later. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
