[tproxy] tproxy4, kernel 2.6.22 and squid-2.6.stable13
Ming-Ching Tiew
mingching.tiew at redtone.com
Mon Dec 3 10:35:27 CET 2007
From: "KOVACS Krisztian" <hidden at sch.bme.hu>
> >
> > In the case of tproxy4 using IP_FREEBIND, I wonder if there is
> > someone who can work on an equivalent patch.
>
> First of all, thanks for the nice analysis. It's really helpful.
>
> And yes, a modification of tproxy4 to support NAT is in the way -- it's
> just that I did not have time to work on it in the last few weeks. But
> it's certainly possible to implement NAT compatibility with tproxy4. (In a
> way which is much cleaner than the modifications necessary for tproxy2.)
>
First of all, I am quite a newbie with regards to kernel socket/netfilter
programming. But if I check on the reply packets in the tproxy table
prerouting chain and given the socket buffer, is there is a way for
me to query the connnect tracking to find out the original source IP
before SNAT ?
My idea is that perhaps I could use the code in the tproxy4 patch to
lookup the IP_FREEBIND socket so that the reply traffic can be
diverted locally too using tproxy :-
see fragments of tproxy-4.0.3 patch :-
+ sk = ipt_tproxy_get_sock(protocol, iph->saddr, iph->daddr,
+ hp->source, hp->dest, in);
+ if (sk) {
+ /* mark skb */
+ inet = inet_sk(sk);
+ if (inet == NULL)
+ goto out;
+
+ if (tproxy_any || inet->freebind) {
+ skb->ip_tproxy = 1;
+
+ indev = in_dev_get(in);
+ if (indev == NULL)
+ goto out;
+
+ ip_divert_local(skb, indev, sk);
+ in_dev_put(indev);
+
Is this a workable approach ? Any comments ?
More information about the tproxy
mailing list