TProxy version 2.0.0 released
Hi, The first version of the new TProxy stable branch, TProxy 2.0.0 has been released. There were no changes affecting functionality, only some cleanups and updates necessary for newer Linux 2.6 kernels. This version is _not_ compatible with TProxy 1.2.x, you have to make a some trivial changes to your source code and recompile the application. It is important to note, that our GPL-ed Zorp proxy does not support TProxy 2.0 yet. Important new features of the TProxy 2.0 branch: * TProxy version number detection * Through NAT reservations, assignment operations are more safe, if the setsockopt() operation succeeds, the NAT operation will succeed as well * Improved wildcart port handling, it is possible to force port allocation for an assigned socket with unspecified port number Patchsets are available for Linux 2.4.27 and 2.6.8.1. The release contains Jozsef Kadlecsik's TCP window tracking patch, but that part is completely optional, all other patches except for the 04-nat_delete.diff can be applied with or without window tracking. If everything goes well, the release will be available shortly in Netfilter Patch-o-Matic-NG as well. http://www.balabit.com/downloads/tproxy/linux-2.4/ http://www.balabit.com/downloads/tproxy/linux-2.6/ MD5: bb8b61abc2a361acec7ed2d8c30f25f7 cttproxy-2.4.27-2.0.0.tar.gz MD5: 4147727427cdf10d4aa96033b363dedc cttproxy-2.6.8.1-2.0.0.tar.gz -- Regards, Krisztian KOVACS
On Wed, Oct 06, 2004 at 04:32:16PM +0200, KOVACS Krisztian wrote:
This version is _not_ compatible with TProxy 1.2.x, you have to make a some trivial changes to your source code and recompile the application.
Is there a list anywhere of these changes? I compared the test apps from the tproxy 1.2.1 and tproxy 2.0.0 distribution with each other, and made the corresponding modifications to my app, but I'm not sure if that's enough. In particular, I see a list of ops in ip_tproxy.h (TPROXY_QUERY?) that I'm not using at the moment, and I wonder if I should. My app only does foreign TCP connects, so what I did is (with error checking and such omitted): - Add TPROXY_VERSION check at program startup. - Convert all occurances of: itp.itp_faddr = req->client_addr.sin_addr; itp.itp_fport = htons(0); setsockopt(fd, SOL_IP, IP_TPROXY_ASSIGN, &itp, sizeof(itp)); to: itp.op = TPROXY_ASSIGN; itp.v.addr.faddr = req->client_addr.sin_addr; itp.v.addr.fport = htons(0); setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)); - Convert all occurances of: flags = ITP_CONNECT; setsockopt(fd, SOL_IP, IP_TPROXY_FLAGS, &flags, sizeof(flags)); to: itp.op = TPROXY_FLAGS; itp.v.flags = ITP_CONNECT; setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)); This should do it? cheers, Lennert
Hi, 2004-10-11, h keltezéssel 12:47-kor Lennert Buytenhek ezt írta:
This version is _not_ compatible with TProxy 1.2.x, you have to make a some trivial changes to your source code and recompile the application.
Is there a list anywhere of these changes? I compared the test apps from the tproxy 1.2.1 and tproxy 2.0.0 distribution with each other, and made the corresponding modifications to my app, but I'm not sure if that's enough. In particular, I see a list of ops in ip_tproxy.h (TPROXY_QUERY?) that I'm not using at the moment, and I wonder if I should.
No, you shouldn't. QUERY was available in 1.2 as well, it's for querying assigned foreign addresses.
My app only does foreign TCP connects, so what I did is (with error checking and such omitted): - Add TPROXY_VERSION check at program startup.
This is optional, of course.
- Convert all occurances of: itp.itp_faddr = req->client_addr.sin_addr; itp.itp_fport = htons(0); setsockopt(fd, SOL_IP, IP_TPROXY_ASSIGN, &itp, sizeof(itp)); to: itp.op = TPROXY_ASSIGN; itp.v.addr.faddr = req->client_addr.sin_addr; itp.v.addr.fport = htons(0); setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)); - Convert all occurances of: flags = ITP_CONNECT; setsockopt(fd, SOL_IP, IP_TPROXY_FLAGS, &flags, sizeof(flags)); to: itp.op = TPROXY_FLAGS; itp.v.flags = ITP_CONNECT; setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
This should do it?
Yes, this is perfectly enough. New operations were added to address missing functionality. New operations of tproxy 2.0 are: * TPROXY_VERSION: getsockopt() returns the tproxy interface version number, setsockopt() checks if the requested version is compatible with the one available in kernel * TPROXY_ALLOC: allocates a foreign port if a wildcard (0) port was used with TPROXY_ASSIGN, that is, you can safely assign wildcard ports and later get a free port number allocated, which can be queried. This addresses problems with proxies for protocols where you occasionally might need to know the exact port number before actually connecting (sending out the first packet). You can assign the socket with port number 0, and later allocate a free port number if you need to. * TPROXY_CONNECT: provides extra information for tproxy, the destination endpoint of the future connection. If you call this before TPROXY_FLAGS/TPROXY_ALLOC, tproxy can allocate a much more specific NAT reservation. Also, you must use this operation to set the other endpoint of a UDP ITP_ESTABLISHED "connection". All of these are optional except for TPROXY_CONNECT, which must be used before setting the ITP_ESTABLISHED flag. But if you don't need these features, you only have to make the changes outlined in your mail. (See the foreign-tcp-connect.c example.) -- Regards, Krisztian KOVACS
participants (2)
-
KOVACS Krisztian
-
Lennert Buytenhek