From: "KOVACS Krisztian" <hidden@sch.bme.hu>
In the case of tproxy4 using IP_FREEBIND, I wonder if there is someone who can work on an equivalent patch.
First of all, thanks for the nice analysis. It's really helpful.
And yes, a modification of tproxy4 to support NAT is in the way -- it's just that I did not have time to work on it in the last few weeks. But it's certainly possible to implement NAT compatibility with tproxy4. (In a way which is much cleaner than the modifications necessary for tproxy2.)
First of all, I am quite a newbie with regards to kernel socket/netfilter programming. But if I check on the reply packets in the tproxy table prerouting chain and given the socket buffer, is there is a way for me to query the connnect tracking to find out the original source IP before SNAT ? My idea is that perhaps I could use the code in the tproxy4 patch to lookup the IP_FREEBIND socket so that the reply traffic can be diverted locally too using tproxy :- see fragments of tproxy-4.0.3 patch :- + sk = ipt_tproxy_get_sock(protocol, iph->saddr, iph->daddr, + hp->source, hp->dest, in); + if (sk) { + /* mark skb */ + inet = inet_sk(sk); + if (inet == NULL) + goto out; + + if (tproxy_any || inet->freebind) { + skb->ip_tproxy = 1; + + indev = in_dev_get(in); + if (indev == NULL) + goto out; + + ip_divert_local(skb, indev, sk); + in_dev_put(indev); + Is this a workable approach ? Any comments ?