[tproxy] tproxy on 2.6?

KOVACS Krisztian hidden@balabit.hu
Fri, 19 Dec 2003 12:56:36 +0100


2003-12-19, p keltezéssel 13:31-kor Peter Busser ezt írta:
> >   Not much, at least in theory. 1.2.0 should be nonlinear skb
> > compatible, and Netfilter has not changed much. However, sockopt numbers
> > used by tproxy has been officially allocated to the in-kernel IPSEC, so
> > tproxy for 2.6 won't be binary compatible with current versions... :(
> Can't you change the sockopt numbers in the 2.4 patch, to make it binary
> compatible with 2.6? Being stuck to one kernel version because of tproxy stuff
> is not really a good thing IMHO.

  Yes, it is a really bad thing. However, we can't do much about that.
We should change the sockopt numbers sooner-or-later, even in the 2.4
patch. But this breaks binary compatibility for binaries using these
sockopts which were compiled for the old interface.

  Also note, that some software using tproxy (Zorp, for example) has its
own copy of ip_tproxy.h. This is necessary to be able to compile Zorp
(with transparent proxying support) even on machines which were not
patched with the tproxy patch. When changing those numbers, these
distributions need to be updated as well.

  So, welcome to binary incompatibility hell. :(

> Also note that the latest Debian unstable 2.4 kernels contain a backport of
> the 2.6 IPSEC stack. Does it v1.2.0 conflict with the sockopt numbers in that
> kernel too?

  Yes, I know that. And yes, of course it means it conflicts with those
kernels, too... :(

   Krisztian KOVACS