On Wednesday 2010-05-26 10:11, Eric Dumazet wrote: >Le mardi 25 mai 2010 à 21:31 -0300, Felipe W Damasio a écrit : >> >> So I'd like to know if I can cycle through all these rules based on >> the number of connections. >> >> Is it possible? >> >> If it isn't currently, can this functionality be added? How can I help? > >So all connections are coming from the NAT device, with a single IP, and >ports from say 30000 to 60000 (check your NAT device) > >iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -m multiport >--source-ports 30000:31000 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3127 There may be a non-uniform distribution so it may not be advisable. Instead perhaps, -A PREROUTING -m conntrack --ctstate NEW -j extrachain for (I = 0; I < N; ++I) -A extrachain -m statistic --mode nth --every I \ -j CONNMARK --set-mark I for (I = 0; I < N; ++I) -A PREROUTING -m connmark --mark I -j TPROXY \ --tproxy-mark I/0xff --on-port I+3127 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
