On 2/4/2013 5:46 PM, KOVACS Krisztian wrote:
Yes, but only for local sockets. However, in this case the endpoint address is first chosen by the client's TCP stack and then on the proxy's TCP stack. The latter does not have a socket bound to the address yet, so it will be happy to choose the exact same port. From the proxy point of view it's a connection and he can use a random port which the OS will make sure that is ok since it actually pairs the src IP to the dst IP when binding. I wanted the same as you. This adds a bit complexity to the kernel and by the way the tproxy socket is a local socket from OS eyes but have another non local IP. You can try it in the real world and see that unless you are working with specific network protocols and you need to know things about the src side you wont have any troubles with TPROXY and TCP.
There is too much experience with it that makes it a fact the it works. From any application the TPROXY outgoing socket is another FD so the dst and src are only important for loging. What are you working on? Regards, Eliezer -- Eliezer Croitoru http://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer <at> ngtech.co.il