Hello, Gonzalo Arana wrote:
Lazlo,
Is it possible to use tproxy 4.1 without conntrack or any other extra state-table? i.e. Do IP_TRANSPARENT requires nat? If that's the case, it involves an extra table (conntrack) to maintain. Freebind only uses filedescriptor table, so it uses less resources I believe. Am I right? Is freebind not accepted by kernel guys? Regards,
Both IP_TRANPARENT and IP_FREEBIND has administrative purpose: enables/disables specific binds also no extra resource is necessary, and they are not related to the netfilter code. IP_TRANSPARENT is a new socket option for tproxy. It sets/unsets a bit inside struct inet_sock. TProxy 4.1 doesn't require NAT or connection tracking it is independent from it. But if the conntrack is enabled, the socket match has different code to let the SNAT works with it. -- Panther