2010/6/23 Pete Kay <petedao@xxxxxxxxx>: > Hi, > > I guess I may have misunderstood the purpose of the > netfilter-conntrack module. What I would like to do is to set up a > alot of iptables NAT rules ( > 10K at 500 rules (add/drop)/s). Using > the system iptables command is not going to be fast enough for me. > All I want is to deliver the packets received from specific IP:port to > another IP:port. Therefore, I am looking into using > netfilter-conntrack api to actually "set" those rules dynamically. Is > this the right approach in doing that? > > Could someone please give me some suggestions? Adding/dropping iptables rule for a whole set of 10K rules is a very time-consuming procedure. Probably you ought to try to change the algoritm logic. As a way I suggest using ipset for storing info about IPs and ports and to build an unchangable set of iptables rules for walking through them in a binary tree manner. -- Best regards Anatoly Muliarski -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
