[tproxy] tproxy4, kernel 2.6.22 and squid-2.6.stable13

Ming-Ching Tiew mingching.tiew at redtone.com
Mon Dec 3 10:35:27 CET 2007

From: "KOVACS Krisztian" <hidden at sch.bme.hu>
> >
> >     In the case of tproxy4 using IP_FREEBIND, I wonder if there is
> >     someone who can work on an equivalent patch.
> First of all, thanks for the nice analysis. It's really helpful.
> And yes, a modification of tproxy4 to support NAT is in the way -- it's
> just that I did not have time to work on it in the last few weeks. But
> it's certainly possible to implement NAT compatibility with tproxy4. (In a
> way which is much cleaner than the modifications necessary for tproxy2.)

First of all, I am quite a newbie with regards to kernel socket/netfilter
programming. But if I check on the reply packets in the tproxy table
prerouting chain and given the socket buffer, is there is a way for
me to query the connnect tracking to find out the original source IP
before SNAT ?

My idea is that perhaps I could use the code in the tproxy4 patch to
lookup  the IP_FREEBIND socket so that the reply traffic can be
diverted locally too using tproxy :-

see fragments of tproxy-4.0.3 patch :-

+       sk = ipt_tproxy_get_sock(protocol, iph->saddr, iph->daddr,
+                               hp->source, hp->dest, in);
+       if (sk) {
+               /* mark skb */
+               inet = inet_sk(sk);
+               if (inet == NULL)
+                       goto out;
+               if (tproxy_any || inet->freebind) {
+                       skb->ip_tproxy = 1;
+                       indev = in_dev_get(in);
+                       if (indev == NULL)
+                               goto out;
+                       ip_divert_local(skb, indev, sk);
+                       in_dev_put(indev);

Is this a workable approach ? Any comments ?

More information about the tproxy mailing list