Hi, On Wed, Dec 05, 2007 at 03:47:57PM +0800, Ming-Ching Tiew wrote:
From: "Ming-Ching Tiew" <mingching.tiew@redtone.com>
My idea is that perhaps I could use the code in the tproxy4 patch to lookup the IP_FREEBIND socket so that the reply traffic can be diverted locally too using tproxy :-
I hope I have not bored you guys to death with my solo show.
Hey, not at all! It's just that we all have other things to work on and because of this we're usually not that quick replying. (Yeah, I know this sucks. Sorry.)
Anyway include please find a patch which I created, to be applied on top of tprox4.0.3, which based on my own testing, it seems to work. This patch is weird, as it modifies the ip header data in the prerouting chain and I don't have the slightest idea what will be the implication.
In any case, the purpose is not to show that it is a working solution, but rather, is to invite comments from the gurus here.
Hmm, I don't really get why you want to modify the header here. I understand the first chunk (although I guess you got it wrong: you'd have to use the IP_CT_DIR_REPLY tuple's source as the destination address here). However, I don't think that if you have found a socket this way then why you'd need to modify the packet header. The whole idea of tproxy4 is doing a socket lookup and then pre-assigning a dst entry with that socket reference so that the packet gets delivered locally to that socket. Could you try if applying the attached patch on top of 4.0.3 helps you with SNAT? (The patch is completely untested but at the moment I can't do any testing.) -- KOVACS Krisztian