Le mer 10/03/2004 à 09:15, Hitesh Ballani a écrit : > thanks for your comments on tunnels ... actually i am working on a model > for anycast deployment and need to have the 16 bits so that i can support > 256*(2^16) services using a single /24 block ..
OK.
If I understand your context (what may not be true), your problem is that you have to route packets against destination port and that MARK capabilities are too limited for you to have Netfilter communicate within policy routing.
So, have you considered using ROUTE target (from patch-o-matic), that allows one to specify a specific route for a given packet within Netfilter. With it, you could implement rule just like this :
iptables -t mangle -A POSTROUTING -p tcp --dport $myservice \ -j ROUTE --gw $myservicegw
-- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
Sorry to bug you ... that ROUTE extension is perfect for me ... but with my design I will have around 2000~ tunnels created (i know this sounds crazy).. will the kernel be able to handle this or is this too much of an overhead .... leaving aside the start up overhead, during the actual forwarding is there any overhead besides the extra ip header being attached....
Thanks for your time,
Hitesh
