[tproxy] tproxy4, kernel 2.6.22 and squid-2.6.stable13

Daniel tooldcas at 163.com
Tue Dec 11 07:20:55 CET 2007


>>
>
>From: "Balazs Scheidler" <bazsi at balabit.hu>
>
>> Probably this is the case, if the packet generated by a tproxied
>> connection is visible on the OUTPUT chain, it means that tproxy did its
>> job.
>> 
>> You can check advanced routing rules by listing:
>> 
>> ip rule ls
>> 
>> You'll probably see lines like this:
>> 32765:  from all fwmark 0x64 lookup 100 
>> 
>> This means that all packets with the specified fwmark will use a
>> potentially different routing table than the ones without this mark. If
>> the referenced routing table does not have a route to the specified
>> subnet (or has a blackhole route), then the packet will not leave the
>> box.
>> 
>> You can list the referenced routing table by issuing:
>> 
>> ip route ls table 100
>> 
>> where 100 is the name/id of the routing table in question.
>> 
>
>I should have mentioned in my previous post these points  :-
>
>The problem persists irregardless of whether I set up policy routing
>or not and it is independent of what mark value I used.
>
>I have tested many times the simplest case where I do not 
>have any policy routing  and only one default route. 
>
>So certainly this is not a case of the user-level routing problem.
>
>Regards.
>
>

I'm kinda confused...

Which version exactly are you discussing?

In balabit site[1], tproxy needs iptable_tproxy and hacks route code, but in KOVACS Krisztian's webpage[2], 
the tproxy patch use policy route to make non-local sockets work without both NAT and iptable_tproxy.

PS: I hope to see a tproxy-4.0.4 patchset before tproxy being merged into kernel 2.6.25. ;)

[1]http://www.balabit.com/downloads/files/tproxy/
[2]http://people.netfilter.org/hidden/tproxy/

Regards
  
Daniel
2007-12-11 




More information about the tproxy mailing list