On Mon, 22 Mar 2004, KOVACS Krisztian wrote:
Hi,
On Mon, 2004-03-22 at 16:46, James MacLean wrote:
No, unfortunately. The ABI changes made the TPROXY_ASSIGN, etc. options obsolete. You should try something like this: - 8< - struct in_tproxy itp;
itp.op = TPROXY_ASSIGN; itp.v.addr.faddr.s_addr = fwdState->src.sin_addr.s_addr; itp.v.addr.fport = fwdS tate->src.sin_port; setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)); itp.op = TPROXY_FLAGS; itp.v.flags = ITP_CONNECT; setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)); - 8< -
Excellent. Big thanks! I had to add the TPROXY_ALLOC, but I saw my first proxy connect complete successfully :). I now need to test it with more than one request to make sure it is now correct.
TPROXY_ALLOC is only needed when you need the outgoing (source) foreign port _before_ actually initiating the connection. It is useless if you specify the foreign port explicitly. So I think you don't need it. Also note, that instead of specifying the foreign port as well, it may be enough for you to forge the IP address only. This would make it work much better, since in this case the foreign port will be automatically allocated by the Netfilter NAT core. So, I would omit the line setting the foreign source port member of itp:
itp.v.addr.fport = 0;
Please try if this works for you.
Thanks again. The original code passed the port of fwdState->src.sin_port which gave an error, so I looked through the samples and saw the ALLOC option. But your suggestion takes less coding, looks cleaner and seems to work fine so far :). JES -- James B. MacLean macleajb@ednet.ns.ca Department of Education Nova Scotia, Canada