[tproxy] tproxy4, kernel 2.6.22 and squid-2.6.stable13

[KOVACS Krisztian]

Hi,

On Wed, Dec 05, 2007 at 03:47:57PM +0800, Ming-Ching Tiew wrote:
> From: "Ming-Ching Tiew" <mingching.tiew at redtone.com>
> > My idea is that perhaps I could use the code in the tproxy4 patch to
> > lookup  the IP_FREEBIND socket so that the reply traffic can be
> > diverted locally too using tproxy :-
> > 
> 
> I hope I have not bored you guys to death with my solo show.

Hey, not at all! It's just that we all have other things to work on and
because of this we're usually not that quick replying. (Yeah, I know this
sucks. Sorry.)

> Anyway include please find a patch which I created, to be 
> applied on top of tprox4.0.3, which based on my own testing, 
> it seems to work. This patch is weird, as it modifies the ip 
> header data in the prerouting chain and I don't have the slightest
> idea what will be the implication.
> 
> In any case, the purpose is not to show that it is a working
> solution, but rather, is to invite comments from the gurus here.

Hmm, I don't really get why you want to modify the header here. I
understand the first chunk (although I guess you got it wrong: you'd have
to use the IP_CT_DIR_REPLY tuple's source as the destination address
here). However, I don't think that if you have found a socket this way
then why you'd need to modify the packet header. The whole idea of tproxy4
is doing a socket lookup and then pre-assigning a dst entry with that
socket reference so that the packet gets delivered locally to that socket.

Could you try if applying the attached patch on top of 4.0.3 helps you
with SNAT? (The patch is completely untested but at the moment I can't do
any testing.)

-- 
KOVACS Krisztian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tproxy-priority.patch
Type: text/x-diff
Size: 565 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/tproxy/attachments/20071205/2dfd3a51/attachment.patch