Efficient 1-to-1 DNAT of range of ports

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


The semantics of:

iptables  -t nat --append PREROUTING -p udp --dport nn:mm -j DNAT \
 --to-destination a.b.c.d:pp-qq

I find somewhat surprising. It appears to be an efficient way to forward a range of ports. But it doesn't work that way. To forward a range of ports it seems to that one needs to do:

s=nn
d=pp
while [ $d -ge $s ]
do
 iptables  -t nat --append PREROUTING -p udp --dport $s -j DNAT \
    --to-destination a.b.c.d:$d
 s=$(expr $s + 1)
 d=$(expr $d + 1)
done

This certainly isn't efficient, and can be rather slow. Presumably it can cause large tables to be built in the kernel.

Is there a better way to do it? Has anyone built a module to do 1-to-1 NAT of a port range? Are the current semantics of a range to range DNAT useful? If not, how hard would it be to change?

Thanks

---
Charlie

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux