[tproxy] TProxy version 2.0.0 released
KOVACS Krisztian
hidden@balabit.hu
Mon, 11 Oct 2004 13:03:49 +0200
Hi,
2004-10-11, h keltezéssel 12:47-kor Lennert Buytenhek ezt írta:
> > This version is _not_ compatible with TProxy 1.2.x, you have to make a
> > some trivial changes to your source code and recompile the application.
>
> Is there a list anywhere of these changes? I compared the test apps
> from the tproxy 1.2.1 and tproxy 2.0.0 distribution with each other,
> and made the corresponding modifications to my app, but I'm not sure
> if that's enough. In particular, I see a list of ops in ip_tproxy.h
> (TPROXY_QUERY?) that I'm not using at the moment, and I wonder if I
> should.
No, you shouldn't. QUERY was available in 1.2 as well, it's for
querying assigned foreign addresses.
> My app only does foreign TCP connects, so what I did is (with error
> checking and such omitted):
> - Add TPROXY_VERSION check at program startup.
This is optional, of course.
> - Convert all occurances of:
> itp.itp_faddr = req->client_addr.sin_addr;
> itp.itp_fport = htons(0);
> setsockopt(fd, SOL_IP, IP_TPROXY_ASSIGN, &itp, sizeof(itp));
> to:
> itp.op = TPROXY_ASSIGN;
> itp.v.addr.faddr = req->client_addr.sin_addr;
> itp.v.addr.fport = htons(0);
> setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
> - Convert all occurances of:
> flags = ITP_CONNECT;
> setsockopt(fd, SOL_IP, IP_TPROXY_FLAGS, &flags, sizeof(flags));
> to:
> itp.op = TPROXY_FLAGS;
> itp.v.flags = ITP_CONNECT;
> setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
>
> This should do it?
Yes, this is perfectly enough. New operations were added to address
missing functionality. New operations of tproxy 2.0 are:
* TPROXY_VERSION: getsockopt() returns the tproxy interface
version number, setsockopt() checks if the requested version is
compatible with the one available in kernel
* TPROXY_ALLOC: allocates a foreign port if a wildcard (0) port
was used with TPROXY_ASSIGN, that is, you can safely assign
wildcard ports and later get a free port number allocated, which
can be queried. This addresses problems with proxies for
protocols where you occasionally might need to know the exact
port number before actually connecting (sending out the first
packet). You can assign the socket with port number 0, and later
allocate a free port number if you need to.
* TPROXY_CONNECT: provides extra information for tproxy, the
destination endpoint of the future connection. If you call this
before TPROXY_FLAGS/TPROXY_ALLOC, tproxy can allocate a much
more specific NAT reservation. Also, you must use this operation
to set the other endpoint of a UDP ITP_ESTABLISHED "connection".
All of these are optional except for TPROXY_CONNECT, which must be
used before setting the ITP_ESTABLISHED flag. But if you don't need
these features, you only have to make the changes outlined in your mail.
(See the foreign-tcp-connect.c example.)
--
Regards,
Krisztian KOVACS