From owner-freebsd-bugs@freebsd.org Wed May 17 16:27:48 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27954D71393 for ; Wed, 17 May 2017 16:27:48 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F13C01642 for ; Wed, 17 May 2017 16:27:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v4HGRlZf064817 for ; Wed, 17 May 2017 16:27:47 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 219316] Wildcard matching of ipfw flow tables Date: Wed, 17 May 2017 16:27:48 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: lutz@donnerhacke.de X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 May 2017 16:27:48 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219316 --- Comment #7 from lutz@donnerhacke.de --- # ipfw show 00100 228070727002 277397011152705 nat tablearg ip4 from any to any flow table(natin) recv ext in 00200 247814016293 35467809536790 nat tablearg ip4 from any to any flow table(natout) xmit ext out # cat /etc/firewall.rules nat 1 config ip a.b.c.48 same_ports nat 2 config ip a.b.d.48 same_ports ... nat 127 config ip x.y.z.46 same_ports nat 128 config ip x.y.z.47 same_ports table natin create type flow:dst-ip valtype nat table natin setmask 255.255.255.255 table natin add a.b.c.48 1 table natin add a.b.d.48 2 ... table natin add x.y.z.46 127 table natin add x.y.z.47 128 table natout create type flow:src-ip valtype nat table natout setmask 255.192.0.127 table natout add 100.64.0.0 1 table natout add 100.64.0.1 2 ... table natout add 100.64.0.126 127 table natout add 100.64.0.127 128 There are multiple machines doing this (with different NAT IPs) I'm going to extend the flow in the following way in order to reuse the por= ts much more: table natin create type flow:src-ip,proto,src-port,dst-ip valtype nat table natin setmask 0.0.15.0,1,3,255.255.255.255 table natout create type flow:src-ip,proto,dst-ip,dst-port valtype nat table natout setmask 255.192.0.127,1,0.0.15.0,3 Yes, this generates 128 (NAT-IPs) * 2 (Protocol) * 16 (dest-ip) * 4 (dest-p= ort) =3D 16384 NAT tables. Depending on the available RAM, I'll extent the masks further. But I do need a different NAT table selection algorithm for this approach, = the current linked list needs to be replaced by a much more efficient access scheme. I'll send this patch later. --=20 You are receiving this mail because: You are the assignee for the bug.=