[tproxy] tproxy Digest, Vol 25, Issue 9
Sunin Thaveethamsavee
tsunin at gmail.com
Tue Jul 31 16:14:22 CEST 2007
TProxy 4.0, Can applied with Squid 2.6 or 3.0 ?
-----Original Message-----
From: tproxy-bounces at lists.balabit.hu
[mailto:tproxy-bounces at lists.balabit.hu] On Behalf Of
tproxy-request at lists.balabit.hu
Sent: Tuesday, July 31, 2007 6:39 PM
To: tproxy at lists.balabit.hu
Subject: tproxy Digest, Vol 25, Issue 9
Send tproxy mailing list submissions to
tproxy at lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.balabit.hu/mailman/listinfo/tproxy
or, via email, send a message with subject or body 'help' to
tproxy-request at lists.balabit.hu
You can reach the person managing the list at
tproxy-owner at lists.balabit.hu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of tproxy digest..."
Today's Topics:
1. TProxy version 4.0.0 released (Laszlo Attila Toth)
2. Re: TProxy v4: xt_TPROXY (Jan Engelhardt)
3. Re: TProxy v4: xt_socket (Jan Engelhardt)
4. Re: TProxy v4: 2.6.23 addendum (Jan Engelhardt)
5. Re: TProxy v4: libxt_TPROXY (Jan Engelhardt)
6. Re: TProxy version 4.0.0 released (Jan Engelhardt)
7. Re: TProxy version 4.0.0 released (Balazs Scheidler)
8. Re: TProxy version 4.0.0 released (Jan Engelhardt)
----------------------------------------------------------------------
Message: 1
Date: Tue, 31 Jul 2007 12:31:35 +0200
From: Laszlo Attila Toth <panther at balabit.hu>
Subject: [tproxy] TProxy version 4.0.0 released
To: tproxy at lists.balabit.hu
Message-ID: <200707311231.35194.panther at balabit.hu>
Content-Type: text/plain; charset="utf-8"
Hi,
TProxy version 4.0.0 has been released for Linux 2.6.17 (Ubuntu
2.6.17.1-12.39) and 2.6.23-rc1
This is a completely rewritten version which no longer uses NAT.
The release tarballs are available here:
http://www.balabit.com/downloads/files/tproxy/
MD5 checksums of the tarballs:
a655fd090c06827bd6927f2b894ee178 tproxy-4.0.0-2.6.23-rc1.tgz
d7175531d67beaab48293cd86cac5d21 tproxy-4.0.0-ubuntu-2.6.17-12.39.tgz
--
Regards,
Laszlo Attila Toth
------------------------------
Message: 2
Date: Tue, 31 Jul 2007 12:37:23 +0200 (CEST)
From: Jan Engelhardt <jengelh at computergmbh.de>
Subject: Re: [tproxy] TProxy v4: xt_TPROXY
To: Laszlo Attila Toth <panther at balabit.hu>
Cc: tproxy at lists.balabit.hu
Message-ID:
<Pine.LNX.4.64.0707311235000.22515 at fbirervta.pbzchgretzou.qr>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Looks like I should join in my modifications.
===
iptables TPROXY target
From: KOVACS Krisztian <hidden at balabit.hu>
The TPROXY target implements redirection of non-local TCP/UDP traffic
to local sockets. It is simply a wrapper around functionality exported
from iptable_tproxy.
Signed-off-by: KOVACS Krisztian <hidden at balabit.hu>
Changed to xt_TPROXY. -Jan Engelhardt <jengelh at gmx.de>
---
include/linux/netfilter/xt_TPROXY.h | 9 ++++
net/ipv4/netfilter/Kconfig | 11 +++++
net/netfilter/Makefile | 1
net/netfilter/xt_TPROXY.c | 76
++++++++++++++++++++++++++++++++++++
4 files changed, 97 insertions(+)
Index: linux-2.6.22.1/include/linux/netfilter/xt_TPROXY.h
===================================================================
--- /dev/null
+++ linux-2.6.22.1/include/linux/netfilter/xt_TPROXY.h
@@ -0,0 +1,9 @@
+#ifndef _XT_TPROXY_H
+#define _XT_TPROXY_H
+
+struct xt_tproxy_info {
+ u_int32_t laddr;
+ u_int16_t lport;
+};
+
+#endif /* _XT_TPROXY_H */
Index: linux-2.6.22.1/net/ipv4/netfilter/Kconfig
===================================================================
--- linux-2.6.22.1.orig/net/ipv4/netfilter/Kconfig
+++ linux-2.6.22.1/net/ipv4/netfilter/Kconfig
@@ -403,6 +403,17 @@ config IP_NF_TPROXY_TABLE
To compile it as a module, choose M here. If unsure, say `N'.
+config NETFILTER_XT_TARGET_TPROXY
+ tristate "TPROXY target support"
+ depends on IP_NF_TPROXY_TABLE
+ help
+ This option adds a `TPROXY' target, which is somewhat similar to
+ REDIRECT. It can only be used in the tproxy table and is useful
+ to redirect traffic to a transparent proxy. It does _not_ depend
+ on Netfilter connection tracking.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
# ARP tables
config IP_NF_ARPTABLES
tristate "ARP tables support"
Index: linux-2.6.22.1/net/netfilter/Makefile
===================================================================
--- linux-2.6.22.1.orig/net/netfilter/Makefile
+++ linux-2.6.22.1/net/netfilter/Makefile
@@ -50,6 +50,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE)
obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TARPIT) += xt_TARPIT.o
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
# matches
Index: linux-2.6.22.1/net/netfilter/xt_TPROXY.c
===================================================================
--- /dev/null
+++ linux-2.6.22.1/net/netfilter/xt_TPROXY.c
@@ -0,0 +1,76 @@
+/*
+ * Transparent proxy support for Linux/iptables
+ *
+ * Copyright (c) 2006-2007 BalaBit IT Ltd.
+ * Author: Balazs Scheidler, Krisztian Kovacs
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+#include <linux/ip.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_tproxy.h>
+#include <linux/netfilter/xt_TPROXY.h>
+#include <net/checksum.h>
+#include <net/inet_sock.h>
+#include <net/udp.h>
+
+static unsigned int
+tproxy_target(struct sk_buff **pskb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target, const void *targinfo)
+{
+ const struct xt_tproxy_info *tgi = targinfo;
+ const struct iphdr *iph = ip_hdr(*pskb);
+ struct sk_buff *skb = *pskb;
+ struct udphdr _hdr, *hp;
+
+ /* TCP/UDP only */
+ if (iph->protocol != IPPROTO_TCP && iph->protocol != IPPROTO_UDP)
+ return NF_ACCEPT;
+
+ hp = skb_header_pointer(*pskb, iph->ihl * 4, sizeof(_hdr), &_hdr);
+ if (hp == NULL)
+ return NF_DROP;
+
+ skb->nf_tproxy.redirect_address = tgi->laddr ? : iph->daddr;
+ skb->nf_tproxy.redirect_port = tgi->lport ? : hp->dest;
+
+ pr_debug(KERN_DEBUG "redirecting: proto %d %08x:%d -> %08x:%d\n",
+ iph->protocol, ntohl(iph->daddr), ntohs(hp->dest),
+ ntohl(skb->nf_tproxy.redirect_address),
+ ntohs(skb->nf_tproxy.redirect_port));
+
+ return NF_ACCEPT;
+}
+
+static struct xt_target xt_tproxy_reg __read_mostly = {
+ .name = "TPROXY",
+ .family = AF_INET,
+ .table = "tproxy",
+ .target = tproxy_target,
+ .targetsize = sizeof(struct xt_tproxy_info),
+ .me = THIS_MODULE,
+};
+
+static int __init xt_tproxy_init(void)
+{
+ return xt_register_target(&xt_tproxy_reg);
+}
+
+static void __exit xt_tproxy_exit(void)
+{
+ xt_unregister_target(&xt_tproxy_reg);
+}
+
+module_init(xt_tproxy_init);
+module_exit(xt_tproxy_exit);
+MODULE_AUTHOR("Krisztian Kovacs <hidden at balabit.hu>");
+MODULE_DESCRIPTION("Netfilter transparent proxy TPROXY target module");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_TPROXY");
------------------------------
Message: 3
Date: Tue, 31 Jul 2007 12:38:00 +0200 (CEST)
From: Jan Engelhardt <jengelh at computergmbh.de>
Subject: Re: [tproxy] TProxy v4: xt_socket
To: Laszlo Attila Toth <panther at balabit.hu>
Cc: TProxy Mailing List <tproxy at lists.balabit.hu>
Message-ID:
<Pine.LNX.4.64.0707311237400.22515 at fbirervta.pbzchgretzou.qr>
Content-Type: TEXT/PLAIN; charset=US-ASCII
iptables socket match
From: KOVACS Krisztian <hidden at balabit.hu>
Add iptables 'socket' match, which matches packets for which a TCP/UDP
socket lookup succeeds.
Signed-off-by: KOVACS Krisztian <hidden at balabit.hu>
Changed to xt_socket. -Jan Engelhardt <jengelh at gmx.de>
---
net/ipv4/netfilter/Kconfig | 10 +++++
net/netfilter/Makefile | 1
net/netfilter/xt_socket.c | 80
+++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 91 insertions(+)
Index: linux-2.6.22.1/net/ipv4/netfilter/Kconfig
===================================================================
--- linux-2.6.22.1.orig/net/ipv4/netfilter/Kconfig
+++ linux-2.6.22.1/net/ipv4/netfilter/Kconfig
@@ -414,6 +414,16 @@ config NETFILTER_XT_TARGET_TPROXY
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_MATCH_SOCKET
+ tristate "socket match support"
+ depends on IP_NF_TPROXY_TABLE
+ help
+ This option adds a `socket' match, which can be used to match
+ packets for which a TCP or UDP socket lookup finds a valid socket.
+ It can only be used in the tproxy table.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
# ARP tables
config IP_NF_ARPTABLES
tristate "ARP tables support"
Index: linux-2.6.22.1/net/netfilter/Makefile
===================================================================
--- linux-2.6.22.1.orig/net/netfilter/Makefile
+++ linux-2.6.22.1/net/netfilter/Makefile
@@ -76,6 +76,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE)
obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
Index: linux-2.6.22.1/net/netfilter/xt_socket.c
===================================================================
--- /dev/null
+++ linux-2.6.22.1/net/netfilter/xt_socket.c
@@ -0,0 +1,80 @@
+/*
+ * Transparent proxy support for Linux/iptables
+ *
+ * Copyright (c) 2007 BalaBit IT Ltd.
+ * Author: Krisztian Kovacs
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter_ipv4/ip_tproxy.h>
+#include <net/inet_sock.h>
+#include <net/sock.h>
+#include <net/tcp.h>
+#include <net/udp.h>
+
+static int
+socket_match(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ int *hotdrop)
+{
+ const struct iphdr *iph = ip_hdr(skb);
+ struct udphdr _hdr, *hp;
+ struct sock *sk;
+
+ /* TCP/UDP only */
+ if (iph->protocol != IPPROTO_TCP && iph->protocol != IPPROTO_UDP)
+ return false;
+
+ hp = skb_header_pointer(skb, iph->ihl * 4, sizeof(_hdr), &_hdr);
+ if (hp == NULL)
+ return false;
+
+ sk = ip_tproxy_get_sock(iph->protocol, iph->saddr, iph->daddr,
+ hp->source, hp->dest, in);
+ if (sk != NULL) {
+ if (iph->protocol == IPPROTO_TCP &&
+ sk->sk_state == TCP_TIME_WAIT)
+ inet_twsk_put(inet_twsk(sk));
+ else
+ sock_put(sk);
+ }
+
+ pr_debug(KERN_DEBUG "socket match: proto %d %08x:%d -> %08x:%d sock
%p\n",
+ iph->protocol, ntohl(iph->saddr), ntohs(hp->source),
+ ntohl(iph->daddr), ntohs(hp->dest), sk);
+
+ return sk != NULL;
+}
+
+static struct xt_match socket_reg __read_mostly = {
+ .name = "socket",
+ .family = AF_INET,
+ .table = "tproxy",
+ .match = socket_match,
+ .me = THIS_MODULE,
+};
+
+static int __init xt_socket_init(void)
+{
+ return xt_register_match(&socket_reg);
+}
+
+static void __exit xt_socket_fini(void)
+{
+ xt_unregister_match(&socket_reg);
+}
+
+module_init(xt_socket_init);
+module_exit(xt_socket_fini);
+MODULE_AUTHOR("Krisztian Kovacs <hidden at balabit.hu>");
+MODULE_DESCRIPTION("netfilter socket match module");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_socket");
------------------------------
Message: 4
Date: Tue, 31 Jul 2007 12:39:04 +0200 (CEST)
From: Jan Engelhardt <jengelh at computergmbh.de>
Subject: Re: [tproxy] TProxy v4: 2.6.23 addendum
To: Laszlo Attila Toth <panther at balabit.hu>
Cc: TProxy Mailing List <tproxy at lists.balabit.hu>
Message-ID:
<Pine.LNX.4.64.0707311238170.22515 at fbirervta.pbzchgretzou.qr>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Previous two were for 2.6.22, if using nf-dev, the following extra is
needed.
---
net/netfilter/xt_socket.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: linux-2.6.22.1/net/netfilter/xt_socket.c
===================================================================
--- linux-2.6.22.1.orig/net/netfilter/xt_socket.c
+++ linux-2.6.22.1/net/netfilter/xt_socket.c
@@ -19,11 +19,11 @@
#include <net/tcp.h>
#include <net/udp.h>
-static int
+static bool
socket_match(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const struct xt_match *match,
const void *matchinfo, int offset, unsigned int protoff,
- int *hotdrop)
+ bool *hotdrop)
{
const struct iphdr *iph = ip_hdr(skb);
struct udphdr _hdr, *hp;
------------------------------
Message: 5
Date: Tue, 31 Jul 2007 12:40:18 +0200 (CEST)
From: Jan Engelhardt <jengelh at computergmbh.de>
Subject: Re: [tproxy] TProxy v4: libxt_TPROXY
To: Laszlo Attila Toth <panther at balabit.hu>
Cc: TProxy Mailing List <tproxy at lists.balabit.hu>
Message-ID:
<Pine.LNX.4.64.0707311239130.22515 at fbirervta.pbzchgretzou.qr>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Applies on top of iptables-svn6974.
---
extensions/.tproxy-testx | 3 +
extensions/libxt_TPROXY.c | 114
++++++++++++++++++++++++++++++++++++++++++++++
extensions/libxt_socket.c | 49 +++++++++++++++++++
3 files changed, 166 insertions(+)
Index: iptables/extensions/.tproxy-testx
===================================================================
--- /dev/null
+++ iptables/extensions/.tproxy-testx
@@ -0,0 +1,3 @@
+#!/bin/sh
+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_TPROXY.h" ] && echo TPROXY;
+echo socket;
Index: iptables/extensions/libxt_TPROXY.c
===================================================================
--- /dev/null
+++ iptables/extensions/libxt_TPROXY.c
@@ -0,0 +1,114 @@
+/* Shared library add-on to iptables to add TPROXY target support.
+ *
+ * Copyright (C) 2002-2007 BalaBit IT Ltd.
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <xtables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/xt_TPROXY.h>
+
+static const struct option tproxy_opts[] = {
+ {"on-port", 1, NULL, '1'},
+ {"on-ip", 1, NULL, '2'},
+ {NULL},
+};
+
+static void tproxy_help(void)
+{
+ printf(
+"TPROXY target v%s options:\n"
+" --on-port port Redirect connection to port, or the
original port if 0\n"
+" --on-ip ip Optionally redirect to the given IP\n",
+IPTABLES_VERSION);
+}
+
+static void parse_tproxy_lport(const char *s, struct xt_tproxy_info *info)
+{
+ unsigned int lport;
+
+ if (string_to_number(s, 0, 65535, &lport) != -1)
+ info->lport = htons(lport);
+ else
+ exit_error(PARAMETER_PROBLEM, "bad --on-proxy `%s'", s);
+}
+
+static void parse_tproxy_laddr(const char *s, struct xt_tproxy_info *info)
+{
+ struct in_addr *laddr;
+
+ if ((laddr = dotted_to_addr(s)) == NULL)
+ exit_error(PARAMETER_PROBLEM, "bad --on-ip `%s'", s);
+ info->laddr = laddr->s_addr;
+}
+
+static int tproxy_parse(int c, char **argv, int invert, unsigned int
*flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_tproxy_info *tproxyinfo = (void *)(*target)->data;
+
+ switch (c) {
+ case '1':
+ if (*flags != 0)
+ exit_error(PARAMETER_PROBLEM,
+ "TPROXY target: Can't specify --to-port
twice");
+ parse_tproxy_lport(optarg, tproxyinfo);
+ *flags = 1;
+ break;
+ case '2':
+ parse_tproxy_laddr(optarg, tproxyinfo);
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void tproxy_check(unsigned int flags)
+{
+ if (flags == 0)
+ exit_error(PARAMETER_PROBLEM,
+ "TPROXY target: Parameter --on-port is
required");
+}
+
+static void tproxy_print(const void *ip, const struct xt_entry_target
*target,
+ int numeric)
+{
+ const struct xt_tproxy_info *tproxyinfo = (const void
*)target->data;
+ printf("TPROXY redirect %s:%d",
+ addr_to_dotted((const struct in_addr *)&tproxyinfo->laddr),
+ ntohs(tproxyinfo->lport));
+}
+
+static void tproxy_save(const void *ip, const struct xt_entry_target
*target)
+{
+ const struct xt_tproxy_info *tproxyinfo = (const void
*)target->data;
+
+ printf("--on-port %d ", ntohs(tproxyinfo->lport));
+ printf("--on-ip %s ",
+ addr_to_dotted((const struct in_addr *)&tproxyinfo->laddr));
+}
+
+static struct xtables_target tproxy_reg = {
+ .name = "TPROXY",
+ .family = AF_INET,
+ .version = IPTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tproxy_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_info)),
+ .help = tproxy_help,
+ .parse = tproxy_parse,
+ .final_check = tproxy_check,
+ .print = tproxy_print,
+ .save = tproxy_save,
+ .extra_opts = tproxy_opts,
+};
+
+void _init(void)
+{
+ xtables_register_target(&tproxy_reg);
+}
Index: iptables/extensions/libxt_socket.c
===================================================================
--- /dev/null
+++ iptables/extensions/libxt_socket.c
@@ -0,0 +1,49 @@
+/* Shared library add-on to iptables to add early socket matching support.
*/
+#include <stdio.h>
+#include <getopt.h>
+#include <xtables.h>
+
+static void socket_print(const void *ip, const struct xt_entry_match
*match,
+ int numeric)
+{
+ printf("socket ");
+}
+
+static int socket_parse(int c, char **argv, int invert, unsigned int
*flags,
+ const void *entry, unsigned int *nfcache,
+ struct xt_entry_match **match)
+{
+ return 0;
+}
+
+static void socket_check(unsigned int flags)
+{
+}
+
+static struct xtables_match socket_reg = {
+ .name = "socket",
+ .family = AF_INET,
+ .version = IPTABLES_VERSION,
+ .size = XT_ALIGN(0),
+ .userspacesize = XT_ALIGN(0),
+ .parse = socket_parse,
+ .final_check = socket_check,
+ .print = socket_print,
+};
+
+static struct xtables_match socket_reg6 = {
+ .name = "socket",
+ .family = AF_INET6,
+ .version = IPTABLES_VERSION,
+ .size = XT_ALIGN(0),
+ .userspacesize = XT_ALIGN(0),
+ .parse = socket_parse,
+ .final_check = socket_check,
+ .print = socket_print,
+};
+
+void _init(void)
+{
+ xtables_register_match(&socket_reg);
+ xtables_register_match(&socket_reg6);
+}
------------------------------
Message: 6
Date: Tue, 31 Jul 2007 12:45:15 +0200 (CEST)
From: Jan Engelhardt <jengelh at computergmbh.de>
Subject: Re: [tproxy] TProxy version 4.0.0 released
To: Laszlo Attila Toth <panther at balabit.hu>
Cc: tproxy at lists.balabit.hu
Message-ID:
<Pine.LNX.4.64.0707311243440.22515 at fbirervta.pbzchgretzou.qr>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Jul 31 2007 12:31, Laszlo Attila Toth wrote:
>
>MD5 checksums of the tarballs:
>
>a655fd090c06827bd6927f2b894ee178 tproxy-4.0.0-2.6.23-rc1.tgz
>d7175531d67beaab48293cd86cac5d21 tproxy-4.0.0-ubuntu-2.6.17-12.39.tgz
That can not compile, because there are still a lot of merge markers.
@@ -1950,7 +2065,14 @@ int ip_route_input(struct sk_buff *skb, __be32 daddr,
rth->fl.fl4_src == saddr &&
rth->fl.iif == iif &&
rth->fl.oif == 0 &&
+<<<<<<< HEAD:net/ipv4/route.c
rth->fl.mark == skb->mark &&
+=======
+#ifdef CONFIG_IP_ROUTE_FWMARK
+ rth->fl.fl4_fwmark == skb->nfmark &&
+#endif
+ !(rth->u.dst.flags & DST_DIVERTED) &&
+>>>>>>> 2bc8cb4... initial import of tproxy4 (2007-07-30):net/ipv4/route.c
rth->fl.fl4_tos == tos) {
rth->u.dst.lastuse = jiffies;
dst_hold(&rth->u.dst);
Jan
--
------------------------------
Message: 7
Date: Tue, 31 Jul 2007 13:13:28 +0200
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [tproxy] TProxy version 4.0.0 released
To: Jan Engelhardt <jengelh at computergmbh.de>
Cc: tproxy at lists.balabit.hu
Message-ID: <1185880408.6998.69.camel at bzorp.balabit>
Content-Type: text/plain
On Tue, 2007-07-31 at 12:45 +0200, Jan Engelhardt wrote:
> On Jul 31 2007 12:31, Laszlo Attila Toth wrote:
> >
> >MD5 checksums of the tarballs:
> >
> >a655fd090c06827bd6927f2b894ee178 tproxy-4.0.0-2.6.23-rc1.tgz
> >d7175531d67beaab48293cd86cac5d21 tproxy-4.0.0-ubuntu-2.6.17-12.39.tgz
>
> That can not compile, because there are still a lot of merge markers.
>
>
> @@ -1950,7 +2065,14 @@ int ip_route_input(struct sk_buff *skb, __be32
daddr,
> rth->fl.fl4_src == saddr &&
> rth->fl.iif == iif &&
> rth->fl.oif == 0 &&
> +<<<<<<< HEAD:net/ipv4/route.c
> rth->fl.mark == skb->mark &&
> +=======
> +#ifdef CONFIG_IP_ROUTE_FWMARK
> + rth->fl.fl4_fwmark == skb->nfmark &&
> +#endif
> + !(rth->u.dst.flags & DST_DIVERTED) &&
> +>>>>>>> 2bc8cb4... initial import of tproxy4
(2007-07-30):net/ipv4/route.c
> rth->fl.fl4_tos == tos) {
> rth->u.dst.lastuse = jiffies;
> dst_hold(&rth->u.dst);
Looks like we did not resolve all conflicts when forward-porting to
2.6.23.
The version on top of Ubuntu 2.6.17-12.39 was the one that has been
tested, but we thought that we should release to a more current version
as well.
So in summary, the 2.6.17 based patch should be considered 'reasonably'
stable, the other is completely untested.
By the way, let me introduce Panther, he is going to be the new tproxy
maintainer.
As an additional item of interest, we've also published an experimental
git tree to http://people.balabit.hu/panther/tproxy4.git/
--
Bazsi
------------------------------
Message: 8
Date: Tue, 31 Jul 2007 13:38:38 +0200 (CEST)
From: Jan Engelhardt <jengelh at computergmbh.de>
Subject: Re: [tproxy] TProxy version 4.0.0 released
To: Balazs Scheidler <bazsi at balabit.hu>
Cc: tproxy at lists.balabit.hu
Message-ID:
<Pine.LNX.4.64.0707311336340.22515 at fbirervta.pbzchgretzou.qr>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Jul 31 2007 13:13, Balazs Scheidler wrote:
>
>Looks like we did not resolve all conflicts when forward-porting to
>2.6.23.
>
>The version on top of Ubuntu 2.6.17-12.39 was the one that has been
>tested, but we thought that we should release to a more current version
>as well.
>
>So in summary, the 2.6.17 based patch should be considered 'reasonably'
>stable, the other is completely untested.
Is there a 'socket' match at all in balabit's tree?
As far as I understand, I need xt_socket because otherwise,
traffic to [foreign address on local socket] is forwarded to the real host.
>By the way, let me introduce Panther, he is going to be the new tproxy
>maintainer.
>
>As an additional item of interest, we've also published an experimental
>git tree to http://people.balabit.hu/panther/tproxy4.git/
403. Not a good day, today, is it? :)
Jan
--
------------------------------
_______________________________________________
tproxy mailing list
tproxy at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/tproxy
End of tproxy Digest, Vol 25, Issue 9
*************************************
More information about the tproxy
mailing list