When you are using LANforge as a virtual router doing NAT, you might need to see how many NAT table entries you’re handling. This can be important because NAT entries take memory, and if you want to handle 65,000 simultaneous connections, you might be heading for trouble.
If your LANforge is only generating traffic, you won’t see NAT entries…rather you want to use netstat -ntp to see how many open connections there are.
LANforge uses iptables PREROUTING heavily, forcing each port to have it’s own set of tables. When you type iptables -nvL and see nothing…that’s because nothing is in the tables for your default route, which is probably eth0. You get close with the raw table. Try iptables -S -t raw. You will see PREROUTING entries for every interface:
# iptables -S -t raw -P PREROUTING ACCEPT -P OUTPUT ACCEPT -A PREROUTING -i br2000 -j CT --zone 10001 -A PREROUTING -i eth1 -j CT --zone 10001 -A PREROUTING -i vap13 -j CT --zone 10001 -A PREROUTING -i vap14 -j CT --zone 10001 -A PREROUTING -i eth2 -j CT --zone 10001
This shows we have a CT chain and a zone note for that chain.
When you create a virtual router, add NAT to a port in it, you can view the NAT table entries with conntrack.
* conntrack -L will list them all, but that’s probably not super useful
If you’re running TCP-multicon connections, expect thousands of connections.
* conntrack -C will show how many NAT entries are present, so you can avoid doing a conntrack -L | wc -l