On Tue, 2007-07-31 at 13:38 +0200, Jan Engelhardt wrote:
On Jul 31 2007 13:13, Balazs Scheidler wrote:
Looks like we did not resolve all conflicts when forward-porting to 2.6.23.
The version on top of Ubuntu 2.6.17-12.39 was the one that has been tested, but we thought that we should release to a more current version as well.
So in summary, the 2.6.17 based patch should be considered 'reasonably' stable, the other is completely untested.
Is there a 'socket' match at all in balabit's tree? As far as I understand, I need xt_socket because otherwise, traffic to [foreign address on local socket] is forwarded to the real host.
The socket match was one of the latest bits of Hidden's work, in an attempt to get tproxy merged upstream in a rush. However this makes tproxy more difficult to use. The exact change was to drop our routing changes and use connection mark to divert traffic from FORWARD to INPUT. This requires a couple of rules here and there, among others a rule with a 'socket' match. As we took over tproxy maintenance, we reverted back to the original scenario, using the routing changes as well. This means that you don't need 'socket' match right now. It does not mean that socket will never be reintroduced, I only want a functional, stable tproxy4 version first, and then talk to DaveM and Patrick about its possible inclusion in October, at Netfilter Developers' Workshop, whether they really insist not including our routing changes.
By the way, let me introduce Panther, he is going to be the new tproxy maintainer.
As an additional item of interest, we've also published an experimental git tree to http://people.balabit.hu/panther/tproxy4.git/
403. Not a good day, today, is it? :)
git clone works for me here, you don't need an index page in order to git clone to work. -- Bazsi