Re: [tproxy] Merging tproxy patch to standard kernel ?

23 Jul 2008

      I thin k CONNTRACK is not  so much burden in moder times and fast machines with plenty of ram . And may be using a connection tracking  wisely in your example can remove some budrden  from machine.

AFAIK, all traffic must  come through "-m socket"  match, witch control if packet belongs to a listenning transparent socket on the machine (if so, then mark it and route it to local interface). So each incomming packet must be checked against list of all opened transparent sockets.

Using conntrack may help reduce overhead MAy be like this. 

 iptables -t mangle -N DIVERT
 iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark //  coppy connection mark to packet
 iptables -t mangle -A PREROUTING  -m mark --mark 0x1/0xffffffff -j ACCEPT  // Already marked packets accept, unmarked to future processing..  
 iptables -t mangle -A PREROUTING -m state --state NEW   -j DIVERT  // only NEW connections to divert
 iptables -t mangle -A DIVERT -p tcpo -m socket -j MARK --set-xmark 0x1/0xffffffff
 iptables -t mangle -A DIVERT  -j CONNMARK  ---save-mark    // save mark on connection for with we have transparent socket
 iptables -t mangle -A DIVERT -j ACCEPT

In this, new connections are checked against -m socket and marked, mark is saved to whole connection and future packets for that connection are marked directly by CONNTRACK so matching a whole traffic against list of open transparent sockets is not needed... So in busy boxes, high TCP load and a lot of opened transparent sockets it MAY save lot of cpu cycles.

Or I am miss a point somewhere ?  

 NTPT
...
------------ Původní zpráva ------------
 Od: KOVACS Krisztian <hidden@sch.bme.hu>
 Předmět: Re: [tproxy] Merging tproxy patch to standard kernel ?
 Datum: 23.7.2008 14:40:18
 ----------------------------------------
 Hi,
On h, júl 21, 2008 at 04:49:43 +0200, NTPT wrote:
...
Redirecting ICMP related traffic - I am not an kernel / netfilter  hacker, 
 but what to extend netfilter CONNMARK  for that purpose ?
Addition of        --restore-mark-related    option to CONNMARK target , witch
 copy connmark from master connection to related traffic  probably will do this
 job.
so then it could look like this ?
iptables -t mangle -N DIVERT
        iptables -t mangle -A PREROUTING -p tcpo -m socket -j DIVERT
        iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
        iptables -t mangle   -j CONNMARK  ---save-mark    // save mark on
 connection
        iptables -t mangle -A DIVERT -j ACCEPT
        iptables -t mangle -p icmp  -j CONNMARK --restore-mark-related // copy
 connmark from master conenction to its  related stuff
// now related ICMP traffic is marked too and can be directed by routing code
Yes, you're right but this requires connection tracking -- while we would
 like to be able to use tproxy without conntrack.
But I like the idea... ;)
-- 
 KOVACS Krisztian
 _______________________________________________
 tproxy mailing list
 tproxy@lists.balabit.hu
 https://lists.balabit.hu/mailman/listinfo/tproxy