[tproxy] Re: Development version 1.9.2 released - Oops
James MacLean
macleajb@ednet.ns.ca
Mon, 22 Mar 2004 13:17:32 -0400 (AST)
On Mon, 22 Mar 2004, KOVACS Krisztian wrote:
> Hi,
>
> On Mon, 2004-03-22 at 16:46, James MacLean wrote:
> > > No, unfortunately. The ABI changes made the TPROXY_ASSIGN, etc.
> > > options obsolete. You should try something like this:
> > > - 8< -
> > > struct in_tproxy itp;
> > >
> > > itp.op = TPROXY_ASSIGN;
> > > itp.v.addr.faddr.s_addr = fwdState->src.sin_addr.s_addr;
> > > itp.v.addr.fport = fwdS tate->src.sin_port;
> > > setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
> > > itp.op = TPROXY_FLAGS;
> > > itp.v.flags = ITP_CONNECT;
> > > setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
> > > - 8< -
> >
> > Excellent. Big thanks! I had to add the TPROXY_ALLOC, but I saw my first
> > proxy connect complete successfully :). I now need to test it with more
> > than one request to make sure it is now correct.
>
> TPROXY_ALLOC is only needed when you need the outgoing (source)
> foreign port _before_ actually initiating the connection. It is useless
> if you specify the foreign port explicitly. So I think you don't need
> it. Also note, that instead of specifying the foreign port as well, it
> may be enough for you to forge the IP address only. This would make it
> work much better, since in this case the foreign port will be
> automatically allocated by the Netfilter NAT core. So, I would omit the
> line setting the foreign source port member of itp:
>
> itp.v.addr.fport = 0;
>
> Please try if this works for you.
Thanks again. The original code passed the port of fwdState->src.sin_port
which gave an error, so I looked through the samples and saw the ALLOC
option.
But your suggestion takes less coding, looks cleaner and seems to work
fine so far :).
JES
--
James B. MacLean macleajb@ednet.ns.ca
Department of Education
Nova Scotia, Canada