Portunus
Forwarding concepts

TCP Forwarding

A TCP listener forwards every accepted connection straight to its target — a pure L4 byte passthrough.

How to set it up: Standalone (TOML) · Server + Client (operator)

TCP forwarding is the simplest rule type: accept a connection, open one to the target, and copy bytes both ways until either side closes. SNI routing and PROXY protocol build on this same TCP path; UDP forwarding is the datagram equivalent.

How it works

Each TCP rule runs a single accept loop on the client. For every accepted connection the client opens one upstream TcpStream::connect to the configured target and runs a bidirectional byte copy until either side closes.

There is no userspace buffering beyond the kernel's send/recv windows. The forwarder is a pure L4 byte passthrough — TLS sessions, HTTP requests, and arbitrary protocols pass through unmodified.

On Linux, connections without a bandwidth cap take the splice(2) fast path (zero-copy through the kernel). Rate-limited connections fall back to a userspace copy loop. The listener binds with SO_REUSEADDR, so a fast process restart (e.g. docker restart) rebinds immediately instead of failing with port_in_use while a prior socket sits in TIME_WAIT.

Performance History

Pre-v1.6.1 baselines — the v1.3.0 splice-introduction tables and the v0.11 pre-splice iptables comparison, preserved verbatim for traceability.

UDP Forwarding

NAT-style UDP forwarding with kernel-allocated upstream sockets per source flow.

On this page

How it works