[tproxy] tproxy in newer 2.6 kernels
buytenh at wantstofly.org
Wed Jul 26 23:46:06 CEST 2006
On Tue, Jul 25, 2006 at 09:44:29PM +0200, Jan Engelhardt wrote:
> >> Ah, hm, right. Note that the code I posted inserts an SNAT rule every
> >> single time a connection is made, so it does let you keep your original
> >> source address. (But it needs some app hacking.)
> >And AFAIK iptables has trouble updating large tables, so it only works
> >for a limited number of rules. And packet processing probably stalls
> >while the table is being updated.
> iptables is said to be pretty scalable,
That's a bit of a lie :)
> even with more than 10000 rules.
There's two separate issues:
1. traversing 10000 rules linearly while doing packet filtering
2. loading a 10000-rule table into the kernel
Incremental updates are bad, too -- it is not possible to add or delete
a single rule, and you have to copy the _entire_ table to userspace,
add/delete your rule, and load the entire table back into the kernel.
More information about the tproxy