>> I'm unclear as to what "amount of state" iptables needs to keep > > After you do something like: > # iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE > the Linux kernel module called nf_conntrack starts allocating > data structures to do its job. I'll leave it up to you to see how much > memory gets wasted on each connection. Here's a hint, > though: /proc/net/nf_conntrack
I don't think Plan 9 is keeping any less state, is it? As far as the gateway is concerned, all of the connections from machines importing its /net are the same as connections from local programs. The TCP/IP stack has to keep track of those, but Plan 9 doesn't need separate connection tracking code for that because it's handled like any other connection. Plan 9 does need one extra connection per client and a process (or two?) to do the export. I think Eris is saying that this makes Plan 9's resource requirements grow with the number of hosts behind the gateway -- not just with the number of connections through it like Linux. You're right, Eris, but I think you're missing the point: importing /net gives you all the features you'd want from NAT (and some it doesn't give you) without a single line of code specifically written to make it happen. It isn't an example of how you can handle the most clients with the least hardware. It's an example of how a good design can give you features without having to code each one individually. Micah
