[Shorewall-users] Large number of SNAT'd addresses loads very
teastep at shorewall.net
Wed Dec 10 09:14:18 PST 2003
On Tuesday 09 December 2003 08:16 pm, Clint Miller wrote:
> For instance one of our sites has 4 class C
> networks that we nat to comply with our VPN addressing. It takes over 45
> minutes to load on a PIII with 512MB ram with a load well under 0.5.
> Below is the section where shorewall begins to slow.
> Processing /etc/shorewall/ecn...
> Activating Rules...
> Adding IP Addresses...
> IP Address 10.3.9.1 added to interface tun1
> IP Address 10.3.9.2 added to interface tun1
> IP Address 10.3.9.3 added to interface tun1
> This goes on for all 4 class Cs and begins to slow after adding about 20
> My instinct is that this is a kernel-ism. Is there something we can tweak
> in our kernel or can we speed up the loading through shorewall alone?
> This particular kernel in 2.4.18.
> Thanks for any hints!
I'm absolutely speechless that someone would even dream of adding that many
addresses to an interface.
Given that this is a tunnel and there are no ARP or broadcast issues involved,
I don't see any need to add the addresses at all. Have you tried it without
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-users