What I would like to do is to perform transformations of destination
addresses, where the transformations change on a relatively short time
scale. Short enough that implementing the transformations as simple
DNAT rules would be impractal.
A normal DNAT transformation of destination rules can be achieved by, e.g.,
```
iptables -t nat -A PREROUTING -s 192.168.1.37 -d 10.185.64.137 -i eth1
-p tcp -m tcp --dport 443 -j DNAT --to-destination 148.48.184.84
```
Marking the variables of interest as `(D1)` and `(D2)` it becomes
```
iptables -t nat -A PREROUTING -s 192.168.1.37 -d (D1) -i eth1 -p tcp
-m tcp --dport 443 -j DNAT --to-destination (D2)
```
It is possible to add and remove such rules in real time but it may
impractical in terms of lookup time for deletion and also compromising
network speed. The add and delete operations may simply hang.
A feature that might improve on that rules-only approach would be to
allow use of a LUT for the DNAT transformation rules. What follows is
psuedo-code. Borrowing from the concept of `ipsets` we create a table
```
iplut create dlut hash:ip,ip
iplut add foo 10.185.64.137,148.48.184.84
...
iplut add foo (D1),(D2)
...
```
and then use a rule that looks *something like*
```
iptables -t nat -A PREROUTING -s 192.168.1.37 -i eth1 -p tcp -m tcp
--dport 443 \
-m match --match-lut dlut dst -j DNAT --to-dest-lut
```
where the "match" looks for the key and pulls the corresponding value
if the key is present.
- In the case of no key match, flow proceeds to the next rule.
- In the case of key match, flow proceeds to DNAT along with the
lookup value to be used as the new destination, just as though it were
a destination hard coded into the rule.
I am assuming such functionality doesn't exist. Clearly part of it
follows closely enough to `ipsets` which would be a template.
However, I can't find any template for a variable DNAT destination.
I'd appreciate any comments or advice.
Craig Hicks
