tproxy 4.1.0 on kernel 2.6.24 is not working and I haven't tested any other kernel version :- Issues ====== 1. Failed to compile. I fixed the compilation problem by taking two of the patches from 2.6.25 and apply them onto 2.6.24, namely netfilter_ip_route_me_harder patch and inet_sock_and_route_dependency.patch. 2. socket in IP_TRANSPARENT mode failed to received return packets both in bridge mode and nat mode. According to the docs, I have executed this script :- iptables -t mangle -F iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 -on-port 3128 iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT They were executed without any error. 3. In the bridge mode case, when I execute a simple 'ip spoofing' program ( which I posted here previously, but I changed IP_FREEBIND to IP_TRANSPARENT ), there packets appearing in the DIVERT target and the TPROXY target, but they are delivered to the machined which IP has been spoofed ( by right they are supposed to be delivered locally to the spoofing program ). 4. In the nat mode, packets leaving the interface SNAT-ed and so there are reply packets however the local socket program is not receiving either. Packets do not hit the DIVERT and TPROXY targets at all, ie the iptables counter return 0 bytes. 5. When I execute ebtables commands on the br0 interface, there will be kernel panic. Example of the commands which can cause panic :- ebtables -t broute -A BROUTING --logical-in br0 -p ipv4 --ip-protocol tcp \ --ip-destination-port 80 -j redirect --redirect-target ACCEPT Regards. -------------------------------------------- Important Warning! *************************** This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the use of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. If this e-mail was sent to you by mistake, please take the time to notify the sender so that they can identify the problem and avoid any more mistakes in sending e-mail to you. The unauthorised use of information contained in this communication or its attachments may result in legal action against any person who uses it.