Redirecting ICMP related traffic - I am not an kernel / netfilter hacker, but what to extend netfilter CONNMARK for that purpose ? Addition of --restore-mark-related option to CONNMARK target , witch copy connmark from master connection to related traffic probably will do this job. so then it could look like this ? iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcpo -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff iptables -t mangle -j CONNMARK ---save-mark // save mark on connection iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -p icmp -j CONNMARK --restore-mark-related // copy connmark from master conenction to its related stuff // now related ICMP traffic is marked too and can be directed by routing code Or I am miss some point ? And maybe marking a related traffic can be useful for other things not only for tproxy... Regards. PS: please execuse my wrong english
------------ Původní zpráva ------------ Od: KOVACS Krisztian <hidden@sch.bme.hu> Předmět: Re: [tproxy] Merging tproxy patch to standard kernel ? Datum: 21.7.2008 10:17:49 ---------------------------------------- Hi,
On p, júl 18, 2008 at 11:15:38 +0900, Yoshioka Tsuneo wrote:
It is often required to keeping source address on proxy, and tproxy seems be almost only one solution. Now, it seems be very nice if tproxy patch is merged to standard kernel.
Is there any plan to merge tproxy to standard kernel ?
Well, that's always been the plan. However, we're still not in a position to ask for merging -- there are still serious issues with the current patch (handling of related ICMP traffic).
We hope to be able to address this issues but progress has been very-very slow recently...
-- KOVACS Krisztian _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy