On Wednesday 2015-03-11 22:27, Glen Miner wrote: >> >> What exactly are these four rules, and what do they accomplish? > >echo "*nat >:PREROUTING - [0:0] >-I PREROUTING -p udp -s $aAddr --sport $aPort -d $nAddr --dport $bnPort -j DNAT --to $bAddr:$bPort >-I PREROUTING -p udp -s $bAddr --sport $bPort -d $nAddr --dport $anPort -j DNAT --to $aAddr:$aPort >:POSTROUTING - [0:0] >-A POSTROUTING -p udp -s $aAddr --sport $aPort -d $bAddr --dport $bPort -j SNAT --to $nAddr:$anPort >-A POSTROUTING -p udp -s $bAddr --sport $bPort -d $aAddr --dport $aPort -j SNAT --to $nAddr:$bnPort >COMMIT >" | iptables-restore --noflush > >> You won't be happy changing iptables rules on the fly for each >> customer. Hire somebody who can program in C, point them at the >> iptables kernel NAT module implementation, and maybe ipset, and get >> them hacking away at a solution that works without table manipulation. > >I can program in C; like I said: I translated the above command + some >conntrack junk to direct function calls to skip process creation and parsing >logic for 20x better performance. However, it's not really clear where I'd go >instead short of reinventing iptables / conntrack and lord knows what else. If all you do is the NAT mappings, then directly using conntrack(8) and/or libnetfilter_conntrack should suffice, especially since UDP CT entries stay around until their known timeout. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
