On Thu, 2008-10-23 at 10:24 +0800, Dong Wei wrote:
Hi,
2008/10/23 NTPT <NTPT@seznam.cz>:
I thing there is no need to track connction from client to TPROXY server.
And what about to move -m socket match and other stuff to the raw conntrack table and then use a -j NOTRACK target to selectively do not conntrack connections from client to tproxy server, while other connections, include from tproxy server to the world , will be still conntracked ?
please execuse my wrong english
I think it's hard for us to check whether a TCP packet belongs to a tproxy socket. When we receive a SYN from the client, we can't make sure this packet belongs to a tproxy socket before the packet travel to TPROXY target in mangle table PREROUTING chain. Here is an sample: iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 --on-port 50080 When TPROXY target handle the SYN packet, find the dport is 80, then it will look up the tproxy socket listening on 50080. But in raw table we don't know which listening port should we take when we find the SYN packet dport is 80.
I think maybe we need write a match like TPROXY, all the matched packet do NOTRACK
Well, tproxy could be made working in the raw table as well, technically there are no differences between mangle and raw, apart from their netfilter priorities. But also, I think it is quite easy to add a rule to raw/OUTPUT which applies NOTRACK on all tproxied connections, something like: iptables -t raw -A OUTPUT -m addrtype ! --src-type LOCAL -j NOTRACK The only question is how to match the reverse direction, but you probably could match that by interface or something. -- Bazsi