Le mercredi 26 mai 2010 à 11:47 +0200, Jan Engelhardt a écrit : > > There may be a non-uniform distribution so it may not be advisable. > Instead perhaps, > > -A PREROUTING -m conntrack --ctstate NEW -j extrachain > for (I = 0; I < N; ++I) > -A extrachain -m statistic --mode nth --every I \ > -j CONNMARK --set-mark I > for (I = 0; I < N; ++I) > -A PREROUTING -m connmark --mark I -j TPROXY \ > --tproxy-mark I/0xff --on-port I+3127 I am not sure it would work "all the time". Some packets could traverse the whole extrachain without hitting any rule (extrachain is not an atomic group) For high performance squid machine, it also adds yet another contention points (after the conntrack lock of course...) Some TPROXY extension would be necessary to handle RPS better on this kind of machines. Say you have 16 cpus, RPS is able to select a target cpu, then TPROXY could use this CPU information to chose a destination port per cpu. --on-port 3127+cpu -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
