We have an
application where thousands of outbound TCP connections are generated from
multiple servers. We are interested in mapping some, but not all of those
connections to specific source addresses.
The idea is to run
netfilter on a box between these servers & the internet with a
'userland' server process that would be able to add/delete address/port mappings
for SNAT. This user process would be contacted by the software running on
the servers generating the traffic after they bind to a local address/port but
before attempting to connect. They would then contact this process running
on the netfilter box and request a specific SNAT for their address/port to a
specified address. When the server closes the connection, it would contact
the process running on the netfilter box and remove the
mapping.
As you can see there
would be a *large* number of updates to the SNAT mapping tables on the netfilter
box. My question is:
- Is this really
doable? Will the large number (possibly hundreds per second) of
table adds/deletes cause havoc on the linux box running netfilter, bringing
performance to a standstill.
thanks
Paul
