Created attachment 183392 [details] LibAlias RFC 4787 req 1 and 3 implementation Implement NAT hole punching for UDP, as per RFC 4787 requirements 1 and 3, creating an endpoint-independent mapping NAT also known as an (address- and port-restricted) cone NAT. Outgoing links are now hashed only on source IP/port, so they can be searched using only those, allowing us to find and reuse the alias address/port already in use by the packet's source address/port. When new links are allocated, we also search for an alias address/port that is not used by any link. Also updated the man page to reflect this. Please also see the related bug 219803, which implements the same feature in PF.
(In reply to Damjan Jovanovic from comment #0) Your patch makes significant change unconditionnaly and the change may present regression for other use cases: - it can degrade performance of libalias hash function that is not perfect already; - it decreases port variance of translated traffic that can degrade performance of L3 channel load distribution. Note that libalias already has a flag PKT_ALIAS_SAME_PORTS (natd -same_ports or ipfw nat config same_ports) to somehow change port translation rules. Please make your change conditional using new flag for new translation mode.
As a (small) natd user, I'd like to comment: having the better/correcter behaviour is more important than performance, if performance and side effects are documented in the man page and if there's a way to change the default for performance and no side-effects.
Thank you. I do want good performance, and am thinking of better solutions. Maybe a new hash table, that's only on alias address:port, instead of changing the existing one to that. Or a bitfield of 65536 bits for ports in use, that could provide guaranteed O(1) lookups. I do need to understand that code better first though.
Created attachment 183455 [details] Version 2 New version of the patch. Existing hash tables and hash functions aren't changed, instead a new one is added for searching on source IP:port alone. Thus performance of existing operations is unaffected.
(In reply to Damjan Jovanovic from comment #4) Your new patch it much better but it still decreases translated port variance unconditionally, if it is needed for an installation or not. Please create new libalias translation mode and make it possible for libalias consumer (natd or ipfw nat) to enable/disable it.
(In reply to Damjan Jovanovic from comment #4) For example, this may be particulary bad for DNS UDP traffic.