Laszlo Attila Toth wrote:
AFAIK the older version is for 2.6.23 (in October), the newer for the net-2.6 (originally net-2.6.25), also 2.6.24 is not explicitly supported.
Understand.
You may missed to set up routing:
ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
It is required for tproxy.
Noted. The new FWMARK setup requirement is a little confusing to me at this moment. I will probably ask this in a separate post.
3. In the bridge mode case, when I execute a simple 'ip spoofing' program ( which I posted here previously, but I changed IP_FREEBIND to IP_TRANSPARENT ), there packets appearing in the DIVERT target and the TPROXY target, but they are delivered to the machined which IP has been spoofed ( by right they are supposed to be delivered locally to the spoofing program ).
Does this occur when you use advanced routing?
I have identified the reason for this to fail to work. Basically it failed to work earlier because :- 1 ) I did not set up the route as mentioned above. 2 ) Again, tproxy over bridge device has the same old problem that it requires special tricks ( mentioned a few times here in this list ) to get it right. So latest information is that tproxy 4.1.0 works in bridge mode ( subject to one has a fix/workaround to the bridge problem - which is needed for tproxy 4.0.x as well ).
We know this issue, we are going to fix this as soon as we find a good solution.
Noted.
5. When I execute ebtables commands on the br0 interface, there will be kernel panic.
I'm afraid not familiar with ebtables.
I will verify if the system will panic if I don't apply the tproxy patch. The reason why 'ebtables' is brought into the picture is to fix/workaround the bridge problem mention above. I used that for tproxy 4.0.x. Regards.