[Shorewall-users] Large number of SNAT'd addresses loads very slowly

Clint Miller cmiller at tigerbyte.com
Tue Dec 9 22:16:07 PST 2003


We use openvpn and shorewall extensively and it all works very well.  We have 
a need to SNAT many address behind shorewall firewalls to private addresses 
on our tunneled interface so we can prevent address clashing on our VPN.  In 
small installations (10s of addresses to nat) this works well.  In large 
installations (100s of addresses on multiple lans) shorewall still works but 
slows to a crawl during the "Adding IP Addresses"  in the "Activating Rules" 
phase.   For instance one of our sites has 4 class C networks that we nat to 
comply with our VPN addressing.  It takes over 45 minutes to load on a PIII 
with 512MB ram with a load well under 0.5.   Below is the section where 
shorewall begins to slow.

---snip---
Processing /etc/shorewall/ecn...
Activating Rules...
Adding IP Addresses...
   IP Address 10.3.9.1 added to interface tun1
   IP Address 10.3.9.2 added to interface tun1
   IP Address 10.3.9.3 added to interface tun1
---snip---

This goes on for all 4 class Cs and begins to slow after adding about 20 
addresses.

My instinct is that this is a kernel-ism.  Is there something we can tweak in 
our kernel or can we speed up the loading through shorewall alone?

This particular kernel in 2.4.18.

Thanks for any hints!
-- 
Clint Miller



More information about the Shorewall-users mailing list