From owner-freebsd-net@FreeBSD.ORG Tue Dec 16 04:56:32 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CBDD16A4CE for ; Tue, 16 Dec 2003 04:56:32 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id B291643D32 for ; Tue, 16 Dec 2003 04:56:29 -0800 (PST) (envelope-from max@love2party.net) Received: from [212.227.126.206] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1AWEkW-0000RT-00 for freebsd-net@freebsd.org; Tue, 16 Dec 2003 13:56:28 +0100 Received: from [217.227.152.165] (helo=vampire.homelinux.org) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1AWEkW-0003xQ-00 for freebsd-net@freebsd.org; Tue, 16 Dec 2003 13:56:28 +0100 Received: (qmail 44500 invoked from network); 16 Dec 2003 13:00:50 -0000 Received: from unknown (HELO fbsd52.laiers.local) (192.168.4.88) by 192.168.4.1 with SMTP; 16 Dec 2003 13:00:50 -0000 From: Max Laier To: Andriy Korud , Attila Nagy Date: Tue, 16 Dec 2003 13:56:27 +0100 User-Agent: KMail/1.5.4 References: <1071564482.3fdec6c2ac5fb@isp.polynet.lviv.ua> <3FDED125.4000304@fsn.hu> <1071567611.3fded2fb8d601@isp.polynet.lviv.ua> In-Reply-To: <1071567611.3fded2fb8d601@isp.polynet.lviv.ua> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-u" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200312161356.27022.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:e28873fbe4dbe612ce62ab869898ff08 cc: freebsd-net@freebsd.org Subject: Re: Large scale NAT problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Dec 2003 12:56:32 -0000 On Tuesday 16 December 2003 10:40, Andriy Korud wrote: > =E3=C9=D4=D5=C0 Attila Nagy : > > Andriy Korud wrote: > > > The problem is that when traffic grows to 10Mbit and number of active > > > NAT sessions reach 70000, CPU usage exponentialy grows and system > > > spends all > > > > CPU > > > > > time in interrupts handling. > > > The system become completely unreponsible and unsable and only hard > > > reset > > > > is the > > > > > solution. > > > > Did you try OpenBSD's pf? > > Is it ported to 4.9-STABLE? > How can I configure and try it? > > Andriy It's in the KAME snapkits, AFAIK. A port for DragonFlyBSD is on my site: (1) http://pf4freebsd.love2party.net/pfil.diff.gz (2) http://pf4freebsd.love2party.net/pf_df_test.tar.gz Apply (1) to the tree, build GENERIC kernel with at least: options PFIL_HOOKS options bpf otptions RANDOM_IP_ID #this is a great default, btw=20 install includes (or copy sys/net/pfil.h to /usr/net/pfil.h). Extract (2) and issue: make && make install now you should be able to: kldload pfsync kldload pflog kldload pf mknod pf c 73 0 root:wheel and have fun with pfctl and friends. This _might_ run on 4.x as well, but I think you'll have to work around a f= ew=20 minors to get it working in 4.9. =2D-=20 Best regards, | max@love2party.net Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet #DragonFlyBSD