[tproxy] MAC and VLAN transparency

Balazs Scheidler bazsi at balabit.hu
Sun Jul 15 17:38:53 CEST 2007

On Wed, 2007-07-11 at 14:58 -0600, Cameron Schaus wrote:
> I am using tproxy to do source IP address transparency on our proxy,
> and it is working well.  I would like to extend the functionality of
> tproxy to provide source MAC address and VLAN transparency as well.
> The proxy in question runs as a transparent bridge, so I think that I
> have to integrate the tproxy framework with ebtables, but I'm not 100%
> sure how to go about that.
> I would like to set up an ebtables (or equivalent) rule that does
> source MAC natting, similar to the source IP addrses NAT rule used by
> tproxy today, and I would also like to rewrite the VLAN tag in the
> outgoing packet to that of the original connection, if any.
> Can anyone give me any pointers about how to best accomplish what I am
> trying to do?

Before starting anything, you should check out our latest tproxy4
patches, posted to netdev@ around March, and work relative to that tree,
as I don't want to maintain the old, NAT based approach anymore.

Other than that, doing MAC level transparency is not very easy, you

Input path:
* save the source MAC whenever a connection is redirected (and ignore
the fact that destination MAC can change from packet-to-packet)
* create a possibility for the proxy application to query this MAC

Output path:
* create a possibility to set the outgoing source MAC address for
outgoing connections

This violates a couple of layers, thus it is not going to be easy.
Especially if you also want to provide MAC level transparency (e.g. you
save the destination MAC as well and use this same MAC address for
destination on your server side connection to avoid ARP lookups)

Anyhow, I'd be interested in such work be integrated to the TProxy


More information about the tproxy mailing list