On Tue, Apr 08, 2008 at 11:59:11PM -0700, Adam Richards wrote:
> Maybe a pf.conf knob that allows me to turn off stateful tracking
> for a particular "nat on <iface> ..." rule?
Ah, you keep mentioning 'nat' and 'rdr', which confused me before, but I
guess what you're actually talking about is called 'binat' in pf:
binat
A binat rule specifies a bidirectional mapping between an external
IP netblock and an internal IP netblock.
You're right, it should be relatively easy to give binat a 'no state'
option...
But not for a /18 of arbitrary mappings with a high rate of change.
With the current translation code this would require a rule for every
mapping, and every packet is going to require a linear search of this
ruleset. Fixing this is going to require fairly major changes to how
binat works. Are you willing to pay someone to make this happen?
BTW: What kind of packet forwarding rate are you hoping to get with this
solution? Much of pf's performance comes from the fact that packets
matching state entries are not evaluated against the ruleset.
-Ryan
