[tproxy] tproxy in newer 2.6 kernels

Lennert Buytenhek buytenh at wantstofly.org
Wed Jul 26 23:46:06 CEST 2006

On Tue, Jul 25, 2006 at 09:44:29PM +0200, Jan Engelhardt wrote:

> >> Ah, hm, right.  Note that the code I posted inserts an SNAT rule every
> >> single time a connection is made, so it does let you keep your original
> >> source address.  (But it needs some app hacking.)
> >
> >And AFAIK iptables has trouble updating large tables, so it only works
> >for a limited number of rules. And packet processing probably stalls
> >while the table is being updated.
> iptables is said to be pretty scalable,

That's a bit of a lie :)

> even with more than 10000 rules. 

There's two separate issues:
1. traversing 10000 rules linearly while doing packet filtering
2. loading a 10000-rule table into the kernel

Incremental updates are bad, too -- it is not possible to add or delete
a single rule, and you have to copy the _entire_ table to userspace,
add/delete your rule, and load the entire table back into the kernel.


More information about the tproxy mailing list