On Tue, Jul 25, 2006 at 09:44:29PM +0200, Jan Engelhardt wrote:
Ah, hm, right. Note that the code I posted inserts an SNAT rule every single time a connection is made, so it does let you keep your original source address. (But it needs some app hacking.)
And AFAIK iptables has trouble updating large tables, so it only works for a limited number of rules. And packet processing probably stalls while the table is being updated.
iptables is said to be pretty scalable,
That's a bit of a lie :)
even with more than 10000 rules.
There's two separate issues: 1. traversing 10000 rules linearly while doing packet filtering 2. loading a 10000-rule table into the kernel Incremental updates are bad, too -- it is not possible to add or delete a single rule, and you have to copy the _entire_ table to userspace, add/delete your rule, and load the entire table back into the kernel. cheers, Lennert