TProxy 4.0, Can applied with Squid 2.6 or 3.0 ? -----Original Message----- From: tproxy-bounces@lists.balabit.hu [mailto:tproxy-bounces@lists.balabit.hu] On Behalf Of tproxy-request@lists.balabit.hu Sent: Tuesday, July 31, 2007 6:39 PM To: tproxy@lists.balabit.hu Subject: tproxy Digest, Vol 25, Issue 9 Send tproxy mailing list submissions to tproxy@lists.balabit.hu To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/tproxy or, via email, send a message with subject or body 'help' to tproxy-request@lists.balabit.hu You can reach the person managing the list at tproxy-owner@lists.balabit.hu When replying, please edit your Subject line so it is more specific than "Re: Contents of tproxy digest..." Today's Topics: 1. TProxy version 4.0.0 released (Laszlo Attila Toth) 2. Re: TProxy v4: xt_TPROXY (Jan Engelhardt) 3. Re: TProxy v4: xt_socket (Jan Engelhardt) 4. Re: TProxy v4: 2.6.23 addendum (Jan Engelhardt) 5. Re: TProxy v4: libxt_TPROXY (Jan Engelhardt) 6. Re: TProxy version 4.0.0 released (Jan Engelhardt) 7. Re: TProxy version 4.0.0 released (Balazs Scheidler) 8. Re: TProxy version 4.0.0 released (Jan Engelhardt) ---------------------------------------------------------------------- Message: 1 Date: Tue, 31 Jul 2007 12:31:35 +0200 From: Laszlo Attila Toth <panther@balabit.hu> Subject: [tproxy] TProxy version 4.0.0 released To: tproxy@lists.balabit.hu Message-ID: <200707311231.35194.panther@balabit.hu> Content-Type: text/plain; charset="utf-8" Hi, TProxy version 4.0.0 has been released for Linux 2.6.17 (Ubuntu 2.6.17.1-12.39) and 2.6.23-rc1 This is a completely rewritten version which no longer uses NAT. The release tarballs are available here: http://www.balabit.com/downloads/files/tproxy/ MD5 checksums of the tarballs: a655fd090c06827bd6927f2b894ee178 tproxy-4.0.0-2.6.23-rc1.tgz d7175531d67beaab48293cd86cac5d21 tproxy-4.0.0-ubuntu-2.6.17-12.39.tgz -- Regards, Laszlo Attila Toth ------------------------------ Message: 2 Date: Tue, 31 Jul 2007 12:37:23 +0200 (CEST) From: Jan Engelhardt <jengelh@computergmbh.de> Subject: Re: [tproxy] TProxy v4: xt_TPROXY To: Laszlo Attila Toth <panther@balabit.hu> Cc: tproxy@lists.balabit.hu Message-ID: <Pine.LNX.4.64.0707311235000.22515@fbirervta.pbzchgretzou.qr> Content-Type: TEXT/PLAIN; charset=US-ASCII Looks like I should join in my modifications. === iptables TPROXY target From: KOVACS Krisztian <hidden@balabit.hu> The TPROXY target implements redirection of non-local TCP/UDP traffic to local sockets. It is simply a wrapper around functionality exported from iptable_tproxy. Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Changed to xt_TPROXY. -Jan Engelhardt <jengelh@gmx.de> --- include/linux/netfilter/xt_TPROXY.h | 9 ++++ net/ipv4/netfilter/Kconfig | 11 +++++ net/netfilter/Makefile | 1 net/netfilter/xt_TPROXY.c | 76 ++++++++++++++++++++++++++++++++++++ 4 files changed, 97 insertions(+) Index: linux-2.6.22.1/include/linux/netfilter/xt_TPROXY.h =================================================================== --- /dev/null +++ linux-2.6.22.1/include/linux/netfilter/xt_TPROXY.h @@ -0,0 +1,9 @@ +#ifndef _XT_TPROXY_H +#define _XT_TPROXY_H + +struct xt_tproxy_info { + u_int32_t laddr; + u_int16_t lport; +}; + +#endif /* _XT_TPROXY_H */ Index: linux-2.6.22.1/net/ipv4/netfilter/Kconfig =================================================================== --- linux-2.6.22.1.orig/net/ipv4/netfilter/Kconfig +++ linux-2.6.22.1/net/ipv4/netfilter/Kconfig @@ -403,6 +403,17 @@ config IP_NF_TPROXY_TABLE To compile it as a module, choose M here. If unsure, say `N'. +config NETFILTER_XT_TARGET_TPROXY + tristate "TPROXY target support" + depends on IP_NF_TPROXY_TABLE + help + This option adds a `TPROXY' target, which is somewhat similar to + REDIRECT. It can only be used in the tproxy table and is useful + to redirect traffic to a transparent proxy. It does _not_ depend + on Netfilter connection tracking. + + To compile it as a module, choose M here. If unsure, say N. + # ARP tables config IP_NF_ARPTABLES tristate "ARP tables support" Index: linux-2.6.22.1/net/netfilter/Makefile =================================================================== --- linux-2.6.22.1.orig/net/netfilter/Makefile +++ linux-2.6.22.1/net/netfilter/Makefile @@ -50,6 +50,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o obj-$(CONFIG_NETFILTER_XT_TARGET_TARPIT) += xt_TARPIT.o obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o +obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o # matches Index: linux-2.6.22.1/net/netfilter/xt_TPROXY.c =================================================================== --- /dev/null +++ linux-2.6.22.1/net/netfilter/xt_TPROXY.c @@ -0,0 +1,76 @@ +/* + * Transparent proxy support for Linux/iptables + * + * Copyright (c) 2006-2007 BalaBit IT Ltd. + * Author: Balazs Scheidler, Krisztian Kovacs + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + */ +#include <linux/ip.h> +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/skbuff.h> +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter_ipv4/ip_tproxy.h> +#include <linux/netfilter/xt_TPROXY.h> +#include <net/checksum.h> +#include <net/inet_sock.h> +#include <net/udp.h> + +static unsigned int +tproxy_target(struct sk_buff **pskb, const struct net_device *in, + const struct net_device *out, unsigned int hooknum, + const struct xt_target *target, const void *targinfo) +{ + const struct xt_tproxy_info *tgi = targinfo; + const struct iphdr *iph = ip_hdr(*pskb); + struct sk_buff *skb = *pskb; + struct udphdr _hdr, *hp; + + /* TCP/UDP only */ + if (iph->protocol != IPPROTO_TCP && iph->protocol != IPPROTO_UDP) + return NF_ACCEPT; + + hp = skb_header_pointer(*pskb, iph->ihl * 4, sizeof(_hdr), &_hdr); + if (hp == NULL) + return NF_DROP; + + skb->nf_tproxy.redirect_address = tgi->laddr ? : iph->daddr; + skb->nf_tproxy.redirect_port = tgi->lport ? : hp->dest; + + pr_debug(KERN_DEBUG "redirecting: proto %d %08x:%d -> %08x:%d\n", + iph->protocol, ntohl(iph->daddr), ntohs(hp->dest), + ntohl(skb->nf_tproxy.redirect_address), + ntohs(skb->nf_tproxy.redirect_port)); + + return NF_ACCEPT; +} + +static struct xt_target xt_tproxy_reg __read_mostly = { + .name = "TPROXY", + .family = AF_INET, + .table = "tproxy", + .target = tproxy_target, + .targetsize = sizeof(struct xt_tproxy_info), + .me = THIS_MODULE, +}; + +static int __init xt_tproxy_init(void) +{ + return xt_register_target(&xt_tproxy_reg); +} + +static void __exit xt_tproxy_exit(void) +{ + xt_unregister_target(&xt_tproxy_reg); +} + +module_init(xt_tproxy_init); +module_exit(xt_tproxy_exit); +MODULE_AUTHOR("Krisztian Kovacs <hidden@balabit.hu>"); +MODULE_DESCRIPTION("Netfilter transparent proxy TPROXY target module"); +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_TPROXY"); ------------------------------ Message: 3 Date: Tue, 31 Jul 2007 12:38:00 +0200 (CEST) From: Jan Engelhardt <jengelh@computergmbh.de> Subject: Re: [tproxy] TProxy v4: xt_socket To: Laszlo Attila Toth <panther@balabit.hu> Cc: TProxy Mailing List <tproxy@lists.balabit.hu> Message-ID: <Pine.LNX.4.64.0707311237400.22515@fbirervta.pbzchgretzou.qr> Content-Type: TEXT/PLAIN; charset=US-ASCII iptables socket match From: KOVACS Krisztian <hidden@balabit.hu> Add iptables 'socket' match, which matches packets for which a TCP/UDP socket lookup succeeds. Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Changed to xt_socket. -Jan Engelhardt <jengelh@gmx.de> --- net/ipv4/netfilter/Kconfig | 10 +++++ net/netfilter/Makefile | 1 net/netfilter/xt_socket.c | 80 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 91 insertions(+) Index: linux-2.6.22.1/net/ipv4/netfilter/Kconfig =================================================================== --- linux-2.6.22.1.orig/net/ipv4/netfilter/Kconfig +++ linux-2.6.22.1/net/ipv4/netfilter/Kconfig @@ -414,6 +414,16 @@ config NETFILTER_XT_TARGET_TPROXY To compile it as a module, choose M here. If unsure, say N. +config NETFILTER_XT_MATCH_SOCKET + tristate "socket match support" + depends on IP_NF_TPROXY_TABLE + help + This option adds a `socket' match, which can be used to match + packets for which a TCP or UDP socket lookup finds a valid socket. + It can only be used in the tproxy table. + + To compile it as a module, choose M here. If unsure, say N. + # ARP tables config IP_NF_ARPTABLES tristate "ARP tables support" Index: linux-2.6.22.1/net/netfilter/Makefile =================================================================== --- linux-2.6.22.1.orig/net/netfilter/Makefile +++ linux-2.6.22.1/net/netfilter/Makefile @@ -76,6 +76,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o +obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o Index: linux-2.6.22.1/net/netfilter/xt_socket.c =================================================================== --- /dev/null +++ linux-2.6.22.1/net/netfilter/xt_socket.c @@ -0,0 +1,80 @@ +/* + * Transparent proxy support for Linux/iptables + * + * Copyright (c) 2007 BalaBit IT Ltd. + * Author: Krisztian Kovacs + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + */ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/skbuff.h> +#include <linux/netfilter/x_tables.h> +#include <linux/netfilter_ipv4/ip_tproxy.h> +#include <net/inet_sock.h> +#include <net/sock.h> +#include <net/tcp.h> +#include <net/udp.h> + +static int +socket_match(const struct sk_buff *skb, const struct net_device *in, + const struct net_device *out, const struct xt_match *match, + const void *matchinfo, int offset, unsigned int protoff, + int *hotdrop) +{ + const struct iphdr *iph = ip_hdr(skb); + struct udphdr _hdr, *hp; + struct sock *sk; + + /* TCP/UDP only */ + if (iph->protocol != IPPROTO_TCP && iph->protocol != IPPROTO_UDP) + return false; + + hp = skb_header_pointer(skb, iph->ihl * 4, sizeof(_hdr), &_hdr); + if (hp == NULL) + return false; + + sk = ip_tproxy_get_sock(iph->protocol, iph->saddr, iph->daddr, + hp->source, hp->dest, in); + if (sk != NULL) { + if (iph->protocol == IPPROTO_TCP && + sk->sk_state == TCP_TIME_WAIT) + inet_twsk_put(inet_twsk(sk)); + else + sock_put(sk); + } + + pr_debug(KERN_DEBUG "socket match: proto %d %08x:%d -> %08x:%d sock %p\n", + iph->protocol, ntohl(iph->saddr), ntohs(hp->source), + ntohl(iph->daddr), ntohs(hp->dest), sk); + + return sk != NULL; +} + +static struct xt_match socket_reg __read_mostly = { + .name = "socket", + .family = AF_INET, + .table = "tproxy", + .match = socket_match, + .me = THIS_MODULE, +}; + +static int __init xt_socket_init(void) +{ + return xt_register_match(&socket_reg); +} + +static void __exit xt_socket_fini(void) +{ + xt_unregister_match(&socket_reg); +} + +module_init(xt_socket_init); +module_exit(xt_socket_fini); +MODULE_AUTHOR("Krisztian Kovacs <hidden@balabit.hu>"); +MODULE_DESCRIPTION("netfilter socket match module"); +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_socket"); ------------------------------ Message: 4 Date: Tue, 31 Jul 2007 12:39:04 +0200 (CEST) From: Jan Engelhardt <jengelh@computergmbh.de> Subject: Re: [tproxy] TProxy v4: 2.6.23 addendum To: Laszlo Attila Toth <panther@balabit.hu> Cc: TProxy Mailing List <tproxy@lists.balabit.hu> Message-ID: <Pine.LNX.4.64.0707311238170.22515@fbirervta.pbzchgretzou.qr> Content-Type: TEXT/PLAIN; charset=US-ASCII Previous two were for 2.6.22, if using nf-dev, the following extra is needed. --- net/netfilter/xt_socket.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: linux-2.6.22.1/net/netfilter/xt_socket.c =================================================================== --- linux-2.6.22.1.orig/net/netfilter/xt_socket.c +++ linux-2.6.22.1/net/netfilter/xt_socket.c @@ -19,11 +19,11 @@ #include <net/tcp.h> #include <net/udp.h> -static int +static bool socket_match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, int offset, unsigned int protoff, - int *hotdrop) + bool *hotdrop) { const struct iphdr *iph = ip_hdr(skb); struct udphdr _hdr, *hp; ------------------------------ Message: 5 Date: Tue, 31 Jul 2007 12:40:18 +0200 (CEST) From: Jan Engelhardt <jengelh@computergmbh.de> Subject: Re: [tproxy] TProxy v4: libxt_TPROXY To: Laszlo Attila Toth <panther@balabit.hu> Cc: TProxy Mailing List <tproxy@lists.balabit.hu> Message-ID: <Pine.LNX.4.64.0707311239130.22515@fbirervta.pbzchgretzou.qr> Content-Type: TEXT/PLAIN; charset=US-ASCII Applies on top of iptables-svn6974. --- extensions/.tproxy-testx | 3 + extensions/libxt_TPROXY.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++ extensions/libxt_socket.c | 49 +++++++++++++++++++ 3 files changed, 166 insertions(+) Index: iptables/extensions/.tproxy-testx =================================================================== --- /dev/null +++ iptables/extensions/.tproxy-testx @@ -0,0 +1,3 @@ +#!/bin/sh +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_TPROXY.h" ] && echo TPROXY; +echo socket; Index: iptables/extensions/libxt_TPROXY.c =================================================================== --- /dev/null +++ iptables/extensions/libxt_TPROXY.c @@ -0,0 +1,114 @@ +/* Shared library add-on to iptables to add TPROXY target support. + * + * Copyright (C) 2002-2007 BalaBit IT Ltd. + */ +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <getopt.h> + +#include <iptables.h> +#include <xtables.h> +#include <linux/netfilter_ipv4/ip_tables.h> +#include <linux/netfilter/xt_TPROXY.h> + +static const struct option tproxy_opts[] = { + {"on-port", 1, NULL, '1'}, + {"on-ip", 1, NULL, '2'}, + {NULL}, +}; + +static void tproxy_help(void) +{ + printf( +"TPROXY target v%s options:\n" +" --on-port port Redirect connection to port, or the original port if 0\n" +" --on-ip ip Optionally redirect to the given IP\n", +IPTABLES_VERSION); +} + +static void parse_tproxy_lport(const char *s, struct xt_tproxy_info *info) +{ + unsigned int lport; + + if (string_to_number(s, 0, 65535, &lport) != -1) + info->lport = htons(lport); + else + exit_error(PARAMETER_PROBLEM, "bad --on-proxy `%s'", s); +} + +static void parse_tproxy_laddr(const char *s, struct xt_tproxy_info *info) +{ + struct in_addr *laddr; + + if ((laddr = dotted_to_addr(s)) == NULL) + exit_error(PARAMETER_PROBLEM, "bad --on-ip `%s'", s); + info->laddr = laddr->s_addr; +} + +static int tproxy_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_target **target) +{ + struct xt_tproxy_info *tproxyinfo = (void *)(*target)->data; + + switch (c) { + case '1': + if (*flags != 0) + exit_error(PARAMETER_PROBLEM, + "TPROXY target: Can't specify --to-port twice"); + parse_tproxy_lport(optarg, tproxyinfo); + *flags = 1; + break; + case '2': + parse_tproxy_laddr(optarg, tproxyinfo); + break; + default: + return 0; + } + + return 1; +} + +static void tproxy_check(unsigned int flags) +{ + if (flags == 0) + exit_error(PARAMETER_PROBLEM, + "TPROXY target: Parameter --on-port is required"); +} + +static void tproxy_print(const void *ip, const struct xt_entry_target *target, + int numeric) +{ + const struct xt_tproxy_info *tproxyinfo = (const void *)target->data; + printf("TPROXY redirect %s:%d", + addr_to_dotted((const struct in_addr *)&tproxyinfo->laddr), + ntohs(tproxyinfo->lport)); +} + +static void tproxy_save(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_tproxy_info *tproxyinfo = (const void *)target->data; + + printf("--on-port %d ", ntohs(tproxyinfo->lport)); + printf("--on-ip %s ", + addr_to_dotted((const struct in_addr *)&tproxyinfo->laddr)); +} + +static struct xtables_target tproxy_reg = { + .name = "TPROXY", + .family = AF_INET, + .version = IPTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_tproxy_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_info)), + .help = tproxy_help, + .parse = tproxy_parse, + .final_check = tproxy_check, + .print = tproxy_print, + .save = tproxy_save, + .extra_opts = tproxy_opts, +}; + +void _init(void) +{ + xtables_register_target(&tproxy_reg); +} Index: iptables/extensions/libxt_socket.c =================================================================== --- /dev/null +++ iptables/extensions/libxt_socket.c @@ -0,0 +1,49 @@ +/* Shared library add-on to iptables to add early socket matching support. */ +#include <stdio.h> +#include <getopt.h> +#include <xtables.h> + +static void socket_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + printf("socket "); +} + +static int socket_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, unsigned int *nfcache, + struct xt_entry_match **match) +{ + return 0; +} + +static void socket_check(unsigned int flags) +{ +} + +static struct xtables_match socket_reg = { + .name = "socket", + .family = AF_INET, + .version = IPTABLES_VERSION, + .size = XT_ALIGN(0), + .userspacesize = XT_ALIGN(0), + .parse = socket_parse, + .final_check = socket_check, + .print = socket_print, +}; + +static struct xtables_match socket_reg6 = { + .name = "socket", + .family = AF_INET6, + .version = IPTABLES_VERSION, + .size = XT_ALIGN(0), + .userspacesize = XT_ALIGN(0), + .parse = socket_parse, + .final_check = socket_check, + .print = socket_print, +}; + +void _init(void) +{ + xtables_register_match(&socket_reg); + xtables_register_match(&socket_reg6); +} ------------------------------ Message: 6 Date: Tue, 31 Jul 2007 12:45:15 +0200 (CEST) From: Jan Engelhardt <jengelh@computergmbh.de> Subject: Re: [tproxy] TProxy version 4.0.0 released To: Laszlo Attila Toth <panther@balabit.hu> Cc: tproxy@lists.balabit.hu Message-ID: <Pine.LNX.4.64.0707311243440.22515@fbirervta.pbzchgretzou.qr> Content-Type: TEXT/PLAIN; charset=US-ASCII On Jul 31 2007 12:31, Laszlo Attila Toth wrote:
MD5 checksums of the tarballs:
a655fd090c06827bd6927f2b894ee178 tproxy-4.0.0-2.6.23-rc1.tgz d7175531d67beaab48293cd86cac5d21 tproxy-4.0.0-ubuntu-2.6.17-12.39.tgz
That can not compile, because there are still a lot of merge markers. @@ -1950,7 +2065,14 @@ int ip_route_input(struct sk_buff *skb, __be32 daddr, rth->fl.fl4_src == saddr && rth->fl.iif == iif && rth->fl.oif == 0 && +<<<<<<< HEAD:net/ipv4/route.c rth->fl.mark == skb->mark && +======= +#ifdef CONFIG_IP_ROUTE_FWMARK + rth->fl.fl4_fwmark == skb->nfmark && +#endif + !(rth->u.dst.flags & DST_DIVERTED) && +>>>>>>> 2bc8cb4... initial import of tproxy4 (2007-07-30):net/ipv4/route.c rth->fl.fl4_tos == tos) { rth->u.dst.lastuse = jiffies; dst_hold(&rth->u.dst); Jan -- ------------------------------ Message: 7 Date: Tue, 31 Jul 2007 13:13:28 +0200 From: Balazs Scheidler <bazsi@balabit.hu> Subject: Re: [tproxy] TProxy version 4.0.0 released To: Jan Engelhardt <jengelh@computergmbh.de> Cc: tproxy@lists.balabit.hu Message-ID: <1185880408.6998.69.camel@bzorp.balabit> Content-Type: text/plain On Tue, 2007-07-31 at 12:45 +0200, Jan Engelhardt wrote:
On Jul 31 2007 12:31, Laszlo Attila Toth wrote:
MD5 checksums of the tarballs:
a655fd090c06827bd6927f2b894ee178 tproxy-4.0.0-2.6.23-rc1.tgz d7175531d67beaab48293cd86cac5d21 tproxy-4.0.0-ubuntu-2.6.17-12.39.tgz
That can not compile, because there are still a lot of merge markers.
@@ -1950,7 +2065,14 @@ int ip_route_input(struct sk_buff *skb, __be32 daddr, rth->fl.fl4_src == saddr && rth->fl.iif == iif && rth->fl.oif == 0 && +<<<<<<< HEAD:net/ipv4/route.c rth->fl.mark == skb->mark && +======= +#ifdef CONFIG_IP_ROUTE_FWMARK + rth->fl.fl4_fwmark == skb->nfmark && +#endif + !(rth->u.dst.flags & DST_DIVERTED) && +>>>>>>> 2bc8cb4... initial import of tproxy4 (2007-07-30):net/ipv4/route.c rth->fl.fl4_tos == tos) { rth->u.dst.lastuse = jiffies; dst_hold(&rth->u.dst);
Looks like we did not resolve all conflicts when forward-porting to 2.6.23. The version on top of Ubuntu 2.6.17-12.39 was the one that has been tested, but we thought that we should release to a more current version as well. So in summary, the 2.6.17 based patch should be considered 'reasonably' stable, the other is completely untested. By the way, let me introduce Panther, he is going to be the new tproxy maintainer. As an additional item of interest, we've also published an experimental git tree to http://people.balabit.hu/panther/tproxy4.git/ -- Bazsi ------------------------------ Message: 8 Date: Tue, 31 Jul 2007 13:38:38 +0200 (CEST) From: Jan Engelhardt <jengelh@computergmbh.de> Subject: Re: [tproxy] TProxy version 4.0.0 released To: Balazs Scheidler <bazsi@balabit.hu> Cc: tproxy@lists.balabit.hu Message-ID: <Pine.LNX.4.64.0707311336340.22515@fbirervta.pbzchgretzou.qr> Content-Type: TEXT/PLAIN; charset=US-ASCII On Jul 31 2007 13:13, Balazs Scheidler wrote:
Looks like we did not resolve all conflicts when forward-porting to 2.6.23.
The version on top of Ubuntu 2.6.17-12.39 was the one that has been tested, but we thought that we should release to a more current version as well.
So in summary, the 2.6.17 based patch should be considered 'reasonably' stable, the other is completely untested.
Is there a 'socket' match at all in balabit's tree? As far as I understand, I need xt_socket because otherwise, traffic to [foreign address on local socket] is forwarded to the real host.
By the way, let me introduce Panther, he is going to be the new tproxy maintainer.
As an additional item of interest, we've also published an experimental git tree to http://people.balabit.hu/panther/tproxy4.git/
403. Not a good day, today, is it? :) Jan -- ------------------------------ _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy End of tproxy Digest, Vol 25, Issue 9 *************************************