[Shorewall-users] Large number of SNAT'd addresses loads very slowly

Tom Eastep teastep at shorewall.net
Wed Dec 10 09:14:18 PST 2003

On Tuesday 09 December 2003 08:16 pm, Clint Miller wrote:
> For instance one of our sites has 4 class C
> networks that we nat to comply with our VPN addressing.  It takes over 45
> minutes to load on a PIII with 512MB ram with a load well under 0.5.  
> Below is the section where shorewall begins to slow.
> ---snip---
> Processing /etc/shorewall/ecn...
> Activating Rules...
> Adding IP Addresses...
>    IP Address added to interface tun1
>    IP Address added to interface tun1
>    IP Address added to interface tun1
> ---snip---
> This goes on for all 4 class Cs and begins to slow after adding about 20
> addresses.
> My instinct is that this is a kernel-ism.  Is there something we can tweak
> in our kernel or can we speed up the loading through shorewall alone?
> This particular kernel in 2.4.18.
> Thanks for any hints!

I'm absolutely speechless that someone would even dream of adding that many 
addresses to an interface.

Given that this is a tunnel and there are no ARP or broadcast issues involved, 
I don't see any need to add the addresses at all. Have you tried it without 
doing that?

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

