Hi all, I've been digging around in the iptables (and xtables-addons) stuff looking for a way to do stateless UDP PAT, but I don't think any of the existing modules cover what I want to do. I wanted to check here first though, in case perhaps I missed something. To give a concrete example of the behavior I'm looking for: 192.0.2.1 is a real IP address on this machine (there's no real routing or NAT going on here) Application instances are listening on UDP ports 12340-12347. The "official" port number that external clients will reach this application on is 1234 I want incoming traffic for port 1234 to be round-robined to 12340-12347 These two rules would nearly do what I want, if I'm reading the docs correctly: iptables -t nat -A PREROUTING -d 192.0.2.1 -p udp --dport 1234 -j DNAT --to-destination :12340-12347 iptables -t nat -A POSTROUTING -s 192.0.2.1 -p udp -m multiport --dports 12340-12347 -j SNAT --to-source :1234 However, the application's protocol is built on stateless transactions (single request packet, single response packet), and for performance reasons (and sheer count of packets flying) I don't want conntrack trying to watch and timeout all of these single-packet UDP transactions. I just want it to round-robin alter the destination port on the incoming packets, and statically alter the source ports back to the canonical one on the response traffic, stateless-ly. Did I miss some way to do this with the existing tools/modules? Do I just have to write a custom module for this sort of thing? Thanks, -- Brandon -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
