From owner-freebsd-bugs@freebsd.org Mon May 15 21:16:29 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9F5DD6C24A for ; Mon, 15 May 2017 21:16:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9A056FBE for ; Mon, 15 May 2017 21:16:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v4FLGThb078928 for ; Mon, 15 May 2017 21:16:29 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 219316] Wildcard matching of ipfw flow tables Date: Mon, 15 May 2017 21:16:29 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: lutz@donnerhacke.de X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2017 21:16:29 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219316 Bug ID: 219316 Summary: Wildcard matching of ipfw flow tables Product: Base System Version: 11.0-STABLE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: lutz@donnerhacke.de For Carrier Grade NAT environments any simple NAT table selection is not usable: 1) Large Scale NAT violates the happy eyeball requirement, that a given cli= ent should always use the same external IP while communicating to a given servi= ce. 2) Mapping all customers to a single IP does not work either, because there= are too much connections originating by those customers. Consequently a deterministically selected group of clients has to share the same NAT table using a single external IP. A typical approach is to use wildcards to match the right NAT instance: add 2100 nat 100 ipv4 from 100.64.0.0:255.192.0.63 to any xmit ext out add 2101 nat 101 ipv4 from 100.64.0.1:255.192.0.63 to any xmit ext out add 2102 nat 102 ipv4 from 100.64.0.2:255.192.0.63 to any xmit ext out ... This approach is inefficient, tables could help. But tables does not support wildcard masking of lookup data. With such an wildcard mask, especially the flow tables could greatly improve performance. --=20 You are receiving this mail because: You are the assignee for the bug.=