Large scale NAT problems
Max Laier
max at love2party.net
Tue Dec 16 04:56:32 PST 2003
On Tuesday 16 December 2003 10:40, Andriy Korud wrote:
> =E3=C9=D4=D5=C0 Attila Nagy <bra at fsn.hu>:
> > Andriy Korud wrote:
> > > The problem is that when traffic grows to 10Mbit and number of active
> > > NAT sessions reach 70000, CPU usage exponentialy grows and system
> > > spends all
> >
> > CPU
> >
> > > time in interrupts handling.
> > > The system become completely unreponsible and unsable and only hard
> > > reset
> >
> > is the
> >
> > > solution.
> >
> > Did you try OpenBSD's pf?
>
> Is it ported to 4.9-STABLE?
> How can I configure and try it?
>
> Andriy
It's in the KAME snapkits, AFAIK.
A port for DragonFlyBSD is on my site:
(1) http://pf4freebsd.love2party.net/pfil.diff.gz
(2) http://pf4freebsd.love2party.net/pf_df_test.tar.gz
Apply (1) to the tree, build GENERIC kernel with at least:
options PFIL_HOOKS
options bpf
otptions RANDOM_IP_ID #this is a great default, btw=20
install includes (or copy sys/net/pfil.h to /usr/net/pfil.h).
Extract (2) and issue:
make && make install
now you should be able to:
kldload pfsync
kldload pflog
kldload pf
mknod pf c 73 0 root:wheel
and have fun with pfctl and friends.
This _might_ run on 4.x as well, but I think you'll have to work around a f=
ew=20
minors to get it working in 4.9.
=2D-=20
Best regards, | max at love2party.net
Max Laier | ICQ #67774661
http://pf4freebsd.love2party.net/ | mlaier at EFnet #DragonFlyBSD
More information about the freebsd-net
mailing list