On Fri, 2008-03-07 at 08:00 +0100, Samuel B wrote:

Hi,

i've created a quick patch against TPROXY 2.0.6 adding ICMP protocol support to it. Special thing about this patch, is that it doesn't only rewrites destination of ICMP packet, but also payload of this packet (usually a TCP/UDP packet).

Our primary motivation for implementing this is to enable PMTU discovery work for transparent network proxies that are invisible on network, and that make tproxy connections to remote hosts.

So with rule like this:

iptables -t tproxy -A PREROUTING -p icmp --icmp-type fragmentation-needed \ -m u32 --u32 "48&0xffff=80" -j TPROXY --on-ip 1.1.1.1 --on-port 0

one can redirect fragmentation-needed icmp packets sent as a reply to connection to port 80 with too big MTU, to kernel and that will handle it and adjust PMTU for given connection.

I hope someone will help this. When we upgrade to newer tproxy I'll possibly create patch for it (and maybe it will be more intelligent ;-)

I don't think this is necessary. tproxy 2 used NAT, which took care of translating ICMP packets properly. At least I know it worked at some time, although it was a long time ago when I've personally checked it. -- Bazsi