On Thu, 2012-01-05 at 09:15 +0100, Anton Melser wrote: > I was thinking that when the packets *arrive* on the router they could > be marked for ToS or fwmark from their source IPs. The ToS or fwmark You could mark them with a TOS value, but since (I understand that) you want to NAT private subnets using 1600 public IP's, you'd need to be able to check 1600 different TOS values otherwise I don't see how you would be able to differentiate. That's not possible as the TOS field is 8 bit according to 'man iptables' (F15's 1.4.10, yes I have to look it up too :-)).. There's also DSCP; the man page it has superseded TOS, and that there can be 64 DSCP values (0-63), so that would also be a no-go AFAICS. IIRC fwmark only exists on the localhost, not in the header of the IP packet, so if I'm right then keep in mind that you can only use it at the localhost. The man page says that the mark value is 32bits wide which would make it usable here. But I don't think all of this is going to help you. > could then be used for routing decisions. On the surface of it there > is no benefit - if you can use source address for routing decisions > then why bother adding a step for marking? ToS and fwmark looked a > little simpler in the examples, but I'm a noob, so don't really know! > In any case, source IP seemed to be the best option, so it looks like > you are confirming my original suspicions. Since it seems you want to map private subnets to 1 public IP and do that 1600 or so times, I don't see a way to do it easier then matching the source address and SNAT it accordingly. Yes, that would mean a lot of rules to create and maintain but I just don't see any other way. -- Rob -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
