ipfw2 for dragonflybsd

Matthew Dillon dillon at apollo.backplane.com
Thu Dec 4 10:38:25 PST 2014


    On how to make NAT work, what I did in PF was this:

    (a) When the port is not locked to a particular number, I simply iterate
	ports until the toepliz hash for the translated address/port pair
	winds up on the same cpu as the toeplez hash of the original.

	This way both sides of the NAT conversation wind up on the same cpu
	and no locking is required.

    (b) If the translated port is locked (which is a feature that PF has,
	for example), it may not be possible to match up the toeplez hash.

	In this situation the state goes into a global table with a global
	lock, and the state is individually locked by the filter.




More information about the Users mailing list