Hi, On sze, júl 08, 2009 at 02:19:41 +0800, Adrian Chadd wrote:
2009/7/7 KOVACS Krisztian <hidden@sch.bme.hu>:
Reusing the original port is usually a bad idea. A notable example of things breaking is Netfilter connection tracking, which gets confused if you reuse the exact same endpoints for a different connection.
Technically they are not the exact same if you include the interface. If it doesn't consider the interface then they would appear the same.
Netfilter conntrack is interface agnostic -- and you're right that it's exactly that what's causing the problem here.
So are you saying that the Linux TPROXY4 code as it stands won't handle the case of a client sending a connection out with a source port that the TPROXY4 proxy is currently using itself for a client IP spoofed connection?
No, it's just that if you happen to have Netfilter conntrack loaded it won't work. This is a limitation of connection tracking. Transparent proxy support in the kernel doesn't require connection tracking, so if you're not using that the scenario above should work just fine. -- KOVACS Krisztian