[tproxy] TProxy version 2.0.0 released

KOVACS Krisztian hidden@balabit.hu
Mon, 11 Oct 2004 13:03:49 +0200


2004-10-11, h keltezéssel 12:47-kor Lennert Buytenhek ezt írta:
> >   This version is _not_ compatible with TProxy 1.2.x, you have to make a
> > some trivial changes to your source code and recompile the application.
> Is there a list anywhere of these changes?  I compared the test apps
> from the tproxy 1.2.1 and tproxy 2.0.0 distribution with each other,
> and made the corresponding modifications to my app, but I'm not sure
> if that's enough.  In particular, I see a list of ops in ip_tproxy.h
> (TPROXY_QUERY?) that I'm not using at the moment, and I wonder if I
> should.

  No, you shouldn't. QUERY was available in 1.2 as well, it's for
querying assigned foreign addresses.

> My app only does foreign TCP connects, so what I did is (with error
> checking and such omitted):
> - Add TPROXY_VERSION check at program startup.

  This is optional, of course.

> - Convert all occurances of:
> 	itp.itp_faddr = req->client_addr.sin_addr;
> 	itp.itp_fport = htons(0);
> 	setsockopt(fd, SOL_IP, IP_TPROXY_ASSIGN, &itp, sizeof(itp));
> to:
> 	itp.op = TPROXY_ASSIGN;
> 	itp.v.addr.faddr = req->client_addr.sin_addr;
> 	itp.v.addr.fport = htons(0);
> 	setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
> - Convert all occurances of:
> 	flags = ITP_CONNECT;
> 	setsockopt(fd, SOL_IP, IP_TPROXY_FLAGS, &flags, sizeof(flags));
> to:
> 	itp.op = TPROXY_FLAGS;
> 	itp.v.flags = ITP_CONNECT;
>        	setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
> This should do it?

  Yes, this is perfectly enough. New operations were added to address
missing functionality. New operations of tproxy 2.0 are:

      * TPROXY_VERSION: getsockopt() returns the tproxy interface
        version number, setsockopt() checks if the requested version is
        compatible with the one available in kernel
      * TPROXY_ALLOC: allocates a foreign port if a wildcard (0) port
        was used with TPROXY_ASSIGN, that is, you can safely assign
        wildcard ports and later get a free port number allocated, which
        can be queried. This addresses problems with proxies for
        protocols where you occasionally might need to know the exact
        port number before actually connecting (sending out the first
        packet). You can assign the socket with port number 0, and later
        allocate a free port number if you need to.
      * TPROXY_CONNECT: provides extra information for tproxy, the
        destination endpoint of the future connection. If you call this
        before TPROXY_FLAGS/TPROXY_ALLOC, tproxy can allocate a much
        more specific NAT reservation. Also, you must use this operation
        to set the other endpoint of a UDP ITP_ESTABLISHED "connection".

  All of these are optional except for TPROXY_CONNECT, which must be
used before setting the ITP_ESTABLISHED flag. But if you don't need
these features, you only have to make the changes outlined in your mail.
(See the foreign-tcp-connect.c example.)

   Krisztian KOVACS