[tproxy] NAT Reservation

Tim Burress hokousha2001@yahoo.com
Wed, 10 Nov 2004 02:55:31 -0800 (PST)


--- KOVACS Krisztian <hidden@balabit.hu> wrote:
> Before using TPROXY_FLAGS you should specify the
> other endpoint of the
> new connection using TPROXY_CONNECT.

This works up to a point, but we run into trouble if
the destination address is subject to a DNAT rule. In
that case, if we use TPROXY_CONNECT to specify the
remote endpoint, we kind of shoot ourselves in the
foot because by the time TPROXY sees the packet in
POSTROUTING, the packet's destination address will
have changed.

The workaround of playing games with SO_REUSEADDR
seems to do OK in this situation, but it's ugly and
I'm not sure what the side effects might be.


Do you Yahoo!? 
Check out the new Yahoo! Front Page.