Hello. I'm trying to make transparent proxy for controlling HTTP access to web- server. All was implemented in Kernel 2.4.19. So, I used on kernel's instead user-mode functions, tcp_setsockopt for setsockopt, sk for sock, memcpy for copy_from/to_user. Before sk->prot->connect(=tcp_v4_connect) to server setted tproxy like below : memset(itp, 0x00, sizeof(struct in_tproxy)); memcpy(&(itp->itp_faddr.s_addr), &(client->sk->daddr), sizeof(struct in_addr)); itp->itp_fport = 0; memcpy(&(server->sk->rcv_saddr), &(client->sk->saddr), sizeof(struct in_addr)); tperr = sk->prot->setsockopt(sk, SOL_IP, IP_TPROXY_ASSIGN, (char *)itp, sizeof(struct in_tproxy)); flags = ITP_CONNECT; tperr = sk->prot->setsockopt(sk, SOL_IP, IP_TPROXY_FLAGS, (char *)&flags, sizeof(int)); And after tcp_close, unsetted tproxy like below : tperr = sk->prot->setsockopt(sk, SOL_IP, IP_TPROXY_UNASSIGN, NULL, 0); And configured iptable : iptables -t nat -A PREROUTING -p tcp -d 10.1.1.10 --dport 80 -j REDIRECT -- to-port 80 I configured my transparent proxy box(has 1 network interface card) with Layer-4 switch(for Cache-Redirect). Just started, Tproxy working fine. Few minutes later, Tproxy send packet with other's foreign address to destination host irregularly. But client received response exactly. When that appeared, my reverse proxy box has 4000 established TCP server connections and hash table size was same. I don't know why that happen. Am I missed or wrong? Thanks.
Hi, Sorry for late reply... :(
Before sk->prot->connect(=tcp_v4_connect) to server setted tproxy like below :
memset(itp, 0x00, sizeof(struct in_tproxy)); memcpy(&(itp->itp_faddr.s_addr), &(client->sk->daddr), sizeof(struct in_addr)); itp->itp_fport = 0; memcpy(&(server->sk->rcv_saddr), &(client->sk->saddr), sizeof(struct in_addr));
tperr = sk->prot->setsockopt(sk, SOL_IP, IP_TPROXY_ASSIGN, (char *)itp, sizeof(struct in_tproxy)); flags = ITP_CONNECT; tperr = sk->prot->setsockopt(sk, SOL_IP, IP_TPROXY_FLAGS, (char *)&flags, sizeof(int));
And after tcp_close, unsetted tproxy like below :
tperr = sk->prot->setsockopt(sk, SOL_IP, IP_TPROXY_UNASSIGN, NULL, 0);
And configured iptable :
iptables -t nat -A PREROUTING -p tcp -d 10.1.1.10 --dport 80 -j REDIRECT -- to-port 80
Looks OK.
I configured my transparent proxy box(has 1 network interface card) with Layer-4 switch(for Cache-Redirect). Just started, Tproxy working fine. Few minutes later, Tproxy send packet with other's foreign address to destination host irregularly. But client received response exactly. When that appeared, my reverse proxy box has 4000 established TCP server connections and hash table size was same.
Could you describe your network setup a bit more? -- Regards, Krisztian KOVACS
I configured my transparent proxy box(has 1 network interface card) with Layer-4 switch(for Cache-Redirect). Just started, Tproxy working fine. Few minutes later, Tproxy send packet with other's foreign address to destination host irregularly. But client received response exactly. When that appeared, my reverse proxy box has 4000 established TCP server connections and hash table size was same.
I've seen this as well in my setup. What tends to happen is either: - The local TCP stack thinks a connection is no longer there, but conntrack thinks it is still there. Local <IP:port> tuples (local to the proxy) are reused by the TCP stack, but are still listed as TIME_WAIT in conntrack. This causes the IP of _new_ connections to foul up. - The local TCP stack thinks a connection is still there, but conntrack thinks it's no longer there. This happens in case of tcp half-close, and also seems to happen in some circumstances I can't figure out yet. Workaround for the first problem is easy-ish: assign several local IP addresses to your proxy box, and bind the first 20000 connections to the first IP, then 20000 to the next IP, etc. Be sure to have your tcp local port range setup big enough (i.e. 1024-65000). It's not a nice solution but it works. The second problem is harder to tackle. I'm still looking into it. cheers, Lennert
participants (3)
-
KOVACS Krisztian
-
Lennert Buytenhek
-
강기호