Date: Mon, 15 May 2017 21:16:29 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 219316] Wildcard matching of ipfw flow tables Message-ID: <bug-219316-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219316 Bug ID: 219316 Summary: Wildcard matching of ipfw flow tables Product: Base System Version: 11.0-STABLE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: lutz@donnerhacke.de For Carrier Grade NAT environments any simple NAT table selection is not usable: 1) Large Scale NAT violates the happy eyeball requirement, that a given cli= ent should always use the same external IP while communicating to a given servi= ce. 2) Mapping all customers to a single IP does not work either, because there= are too much connections originating by those customers. Consequently a deterministically selected group of clients has to share the same NAT table using a single external IP. A typical approach is to use wildcards to match the right NAT instance: add 2100 nat 100 ipv4 from 100.64.0.0:255.192.0.63 to any xmit ext out add 2101 nat 101 ipv4 from 100.64.0.1:255.192.0.63 to any xmit ext out add 2102 nat 102 ipv4 from 100.64.0.2:255.192.0.63 to any xmit ext out ... This approach is inefficient, tables could help. But tables does not support wildcard masking of lookup data. With such an wildcard mask, especially the flow tables could greatly improve performance. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-219316-8>