[tproxy] Re: Development version 1.9.2 released - Oops

KOVACS Krisztian hidden@balabit.hu
Mon, 22 Mar 2004 16:57:19 +0100


On Mon, 2004-03-22 at 16:46, James MacLean wrote:
> >   No, unfortunately. The ABI changes made the TPROXY_ASSIGN, etc.
> > options obsolete. You should try something like this:
> > - 8< -
> > struct in_tproxy itp;
> > 
> > itp.op = TPROXY_ASSIGN;
> > itp.v.addr.faddr.s_addr = fwdState->src.sin_addr.s_addr;
> > itp.v.addr.fport = fwdState->src.sin_port;
> > setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
> > itp.op = TPROXY_FLAGS;
> > itp.v.flags = ITP_CONNECT;
> > setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
> > - 8< -
> Excellent. Big thanks! I had to add the TPROXY_ALLOC, but I saw my first 
> proxy connect complete successfully :). I now need to test it with more 
> than one request to make sure it is now correct.

  TPROXY_ALLOC is only needed when you need the outgoing (source)
foreign port _before_ actually initiating the connection. It is useless
if you specify the foreign port explicitly. So I think you don't need
it. Also note, that instead of specifying the foreign port as well, it
may be enough for you to forge the IP address only. This would make it
work much better, since in this case the foreign port will be
automatically allocated by the Netfilter NAT core. So, I would omit the
line setting the foreign source port member of itp:

itp.v.addr.fport = 0;

Please try if this works for you.
> > > Again, sorry to bother. Would appreciate even a pointer to a small code 
> > > sample that does the transparent proxy this way that I could learn from.
> > 
> >   See the tests directory inside the .tar.gz, those are up-to-date code
> > covering most of the simple cases.
> And now a big "I'm sorry". I looked all over but never even noticed that 
> directory in the patches... The examples were exactly what I needed all 
> along. Maybe a pointer in the README so thick headed folks like myself do 
> not miss them ;)?

  The README file needs some update anyway, so I'll add some reference
to the tests.

   Krisztian KOVACS