Hello, The iptables patch requires for set up rules with tproxy match and target, but for frebind no. Whithout tproxy the IP_FREEBIND works as before, in tproxy it is only using for indicating sockets that accepts diverted connections/packets (via TPROXY target). The IP_FREEBIND sockopt is not related to the EINPROGRESS result, which indicates that it is a non-blocking socket and a poll for write event is necassery. Mike Mattice írta:

This strace shows my (albeit hacked up) work attempting to get stunnel to play with tproxy support.

strace obviously doesn't know how to interpret the IP_FREEBIND passed to setsockopt, but other than that, it's not throwing an error there. Stunnel uses the EINPROGRESS error as a signal to attempt the next ip in the list (if it has one) so it just ends up resetting a perfectly good connection every time.

We're using tproxy 4.0.2-2.6.22

Do we _have_ to patch iptables and set up the tproxy stuff there in order to do the tproxy freebind stuff?

Thanks...

779 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 8 779 fcntl64(8, F_GETFL) = 0x2 (flags O_RDWR) 779 fcntl64(8, F_SETFL, O_RDWR|O_NONBLOCK) = 0 779 setsockopt(8, SOL_IP, 0xf /* IP_??? */, [1], 4) = 0 779 bind(8, {sa_family=AF_INET, sin_port=htons(60413), sin_addr=inet_addr("172.16.200.249")}, 16) = 0 779 connect(8, {sa_family=AF_INET, sin_port=htons(514), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress) _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy

-- Panther