I just realised something. With the SNAT and MASQUERADE stuff, only the first packet of a connection needs to be looked up. After that all subsequent packets are given the same treatment. Thus it really matters little I guess. Only the first packet would be minisculely delayed by the extra time required to look up the current IP address of the interface. Hmmmm. Cheers. Mark.
Description: PGP signature