[Shorewall-users] Large number of SNAT'd addresses loads very slowly

Clint Miller cmiller.lists at tigerbyte.com
Wed Dec 10 10:19:03 PST 2003


BTW were running v1.4.8 Shorewall.

On Tuesday 09 December 2003 22:16, Clint Miller wrote:
> We use openvpn and shorewall extensively and it all works very well.  We
> have a need to SNAT many address behind shorewall firewalls to private
> addresses on our tunneled interface so we can prevent address clashing on
> our VPN.  In small installations (10s of addresses to nat) this works well.
>  In large installations (100s of addresses on multiple lans) shorewall
> still works but slows to a crawl during the "Adding IP Addresses"  in the
> "Activating Rules" phase.   For instance one of our sites has 4 class C
> networks that we nat to comply with our VPN addressing.  It takes over 45
> minutes to load on a PIII with 512MB ram with a load well under 0.5.  
> Below is the section where shorewall begins to slow.
>
> ---snip---
> Processing /etc/shorewall/ecn...
> Activating Rules...
> Adding IP Addresses...
>    IP Address 10.3.9.1 added to interface tun1
>    IP Address 10.3.9.2 added to interface tun1
>    IP Address 10.3.9.3 added to interface tun1
> ---snip---
>
> This goes on for all 4 class Cs and begins to slow after adding about 20
> addresses.
>
> My instinct is that this is a kernel-ism.  Is there something we can tweak
> in our kernel or can we speed up the loading through shorewall alone?
>
> This particular kernel in 2.4.18.
>
> Thanks for any hints!



More information about the Shorewall-users mailing list