Hi, I guess I may have misunderstood the purpose of the netfilter-conntrack module. What I would like to do is to set up a alot of iptables NAT rules ( > 10K at 500 rules (add/drop)/s). Using the system iptables command is not going to be fast enough for me. All I want is to deliver the packets received from specific IP:port to another IP:port. Therefore, I am looking into using netfilter-conntrack api to actually "set" those rules dynamically. Is this the right approach in doing that? Could someone please give me some suggestions? Thanks, P On Tue, Jun 22, 2010 at 11:10 PM, Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> wrote: > Hello, > > Pete Kay a écrit : >> >> I have the following NAT rule set up : >> >> udp 17 12 src=192.168.1.102 dst=192.168.1.140 sport=7390 >> dport=8000 packets=6 bytes=3258 [UNREPLIED] src=192.168.1.140 >> dst=192.168.1.102 sport=10000 dport=9000 packets=0 bytes=0 mark=0 >> secmark=0 use=2 > > This is not a NAT rule but a conntrack entry. > >> What I am expecting to achieve is that when udp packets go from >> 192.168.1.102:7390 to 192.168.1.140:8000, the conntrack module would >> redirect the packet to 192.168.1.102:9000, but it is not happening. >> >> Does anyone know what is wrong? > > It is not happenning because of the above conntrack entry that says > otherwise and already exists for these packets, so iptables NAT rules > are ignored. You must first delete the conntrack entry with > conntrack-tools or by not transmitting related packets until it expires. > Then the next packet will hit the iptables NAT rules and create a new > conntrack entry accordingly. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
