Manualshelf

HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
51525354555657585960
SIZE OF NAT RULES HASH
TABLE
1024
SIZE OF RDR RULE HASH TABLE 2047
List of active sessions MAP 20.20.1.1 59034 <- -> 10.10.1.2 59034
[10.10.1.1 23]
When ipnat_largenat_enable is disabled.
$ ipnat -hl
List of active MAP/Redirect filters:
1 map lan1 20.20.1.1/32 -> 10.10.1.2/32 tag test-tag
List of active sessions MAP 20.20.1.1 59034 <- -> 10.10.1.2 59034
[10.10.1.1 23]
General tuning recommendations
It is recommended to tune the ipnat_nat_rules, ipnat_rdr_rules,
ipnat_nat_table_size, and ipnat_hostmap_size to a prime number. This will result in
better distribution of elements inside the different hash tables.
ipnat_nat_table_size
You must tune the HASH table sizes according to the load on the NAT server. If the NAT server is
intended to handle more than 16383 connections, it is recommended to tune
ipnat_nat_table_size HASH table size to maximum value.
For example:
If the NAT server is expected to handle up to 10000 connections, it is recommended to set the
value of ipnat_nat_table_size to 10007, the next prime number after 10000. Tuning it to
a larger value results in increased usage of kernel memory.
ipnat_nat_rules and ipnat_rdr_rules
Tuning HASH tables size ipnat_nat_rules and ipnat_rdr_rules must be according to the
number of rules in the NAT configuration files. If the rule set is expected to be lesser than 127, it
is recommended to set the ipnat_nat_rules and ipnat_rdr_rules to default of 127.
If there are more than 127 rules, then it is recommended to tune the size according to the number
of rules.
For example:
For 500 NAT or RDR rules, it is recommended to set the ipnat_nat_rules and
ipnat_rdr_rules to 503 (the next prime number after 500). If the rule set is more than 2047,
set these tunables to maximum, that is 2047.
ipnat_hostmap_size
Hostmap HASH table is internally used in IPFilter NAT system to store the entries of SRC to DST
mapping and DST to SRC mapping. It is recommended to set the value of this tunable to half the
value of ipnat_nat_table_size tunable or more precisely to the next prime number.
For example:
If ipnat_nat_table_size is set to 10007, it is recommended to set ipnat_hostmap_size
value to half, that is, 5003 (the next prime number after 5000). If the NAT system is expected to
handle more than 16383 connections, set ipnat_hostmap_size to maximum value of 8191.
fr_tcpidletimeout
In environments where high number of NAT connections are expected to happen, it is recommended
to set fr_tcpidletimeout to 10 minutes or lower. However, you can customize this according
LARGE NAT support in IPFilter (HP-UX 11iV3 only) 53