[tproxy] NAT Reservation

Tim Burress hokousha2001@yahoo.com
Sun, 7 Nov 2004 18:28:26 -0800 (PST)


We're using TPROXY 2.0.0 for 2.4.27 and are running
into a strange issue which seems related to NAT
reservation. As usual, we have a client TCP connection
coming in from a given <saddr,sport> going to a
particular <daddr,dport>. Netfilter rules REDIRECT
this to our proxy code, which then uses TPROXY to
connect out to <daddr,dport> using <saddr,sport> as
the apparent source.

We use the same operation sequence that appears in the
test directory: first bind the socket to a local
address, then do a TPROXY ASSIGN assigning
<saddr,sport> to the socket, then TPROXY FLAGS to set
ITP_CONNECT|ITP_ONCE, and then the actual connect().

With earlier versions of TPROXY (though I can't
guarantee that kernel options haven't changed) this
worked fine. Now, though, we see two problems. First,
on when we make the call to ASSIGN, we get an error:

IP_TPROXY: ip_tproxy_nat_reserve proto 6 foreign peer
reservation 0200000a:0480

Apparently the NAT reservation is failing because when
the initial TCP connection came in, conntrack set up a
record expecting a reply to <saddr,sport>. The only
way I could see to get around this was to set
SO_REUSEADDR on the socket before the call to ASSIGN.

However the second problem is that, if I do this, I
get an error in the FLAGS call:

IP_TPROXY: ip_tproxy_nat_reserve proto 6 foreign peer
IP_TPROXY: IP_TPROXY_FLAGS sr c660bf9c: failed to
register NAT reservation

I was able to work around these problems by first
setting SO_REUSEADDR on the socket before the ASSIGN
than clearing it before the FLAGS call, but that
doesn't seem ideal. Is this how it's supposed to be
done, or do I just have some basic misunderstanding
about how TPROXY should be used? I have to admit I'm
not clear on the purpose of NAT reservations.



Do you Yahoo!? 
Check out the new Yahoo! Front Page.