On Sep 18 2007 12:01, Balazs Scheidler wrote:
As some of you might know, the 5th Netfilter Developer's Workshop took place last week in Karlsruhe, Germany. Krisztian Kovacs (hidden) and me
KrisztiƔn was not hidden at all ;-) [scnr]
The most important changes relative to the current 4.0.x patches are: * the tproxy table is gone, TPROXY targets need to be added to the mangle table instead * the tproxy match is gone, a new "socket" match is introduced * instead of using a separate routing trick to divert packets to the local IP stack inside the TProxy target, we are now using stock routing decisions, and need a bit in the packet MARK field, and perform diversion by using an advanced routing rule. * instead of IP_FREEBIND we are using a setsockopt named IP_TRANSPARENT which requires CAP_NET_ADMIN privilege
Hm, the working sample code I have here (again, based upon KrisztiƔn's tproxy-4.0_20060722 I was sent) requires both IP_FREEBIND and IP_TRANSPARENT. Does this still hold?
# connections to be redirected should use the TPROXY target, which sets # up redirection, and marks the packet according to its 'tproxy-mark' # argument iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50080
Is this a mark distinct from the packet mark? I remember being put into the boiling cooking pot when I tried to have chaostables use packet and connection marks for its tricks. I am still unsure what exactly -j TPROXY is supposed to do. Case 1 I can imagine: no squid, hence routing the packet with its original address is a no-problem. Case 2 to imagine: with squid; can use -j REDIRECT instead of -j TPROXY. What did I miss?