[tproxy] TProxy version 4.0.0 released

[Balazs Scheidler]

On Tue, 2007-07-31 at 13:38 +0200, Jan Engelhardt wrote:
> On Jul 31 2007 13:13, Balazs Scheidler wrote:
> >
> >Looks like we did not resolve all conflicts when forward-porting to
> >2.6.23. 
> >
> >The version on top of Ubuntu 2.6.17-12.39 was the one that has been
> >tested, but we thought that we should release to a more current version
> >as well.
> >
> >So in summary, the 2.6.17 based patch should be considered 'reasonably'
> >stable, the other is completely untested.
> 
> Is there a 'socket' match at all in balabit's tree?
> As far as I understand, I need xt_socket because otherwise,
> traffic to [foreign address on local socket] is forwarded to the real host.

The socket match was one of the latest bits of Hidden's work, in an
attempt to get tproxy merged upstream in a rush. However this makes
tproxy more difficult to use.

The exact change was to drop our routing changes and use connection mark
to divert traffic from FORWARD to INPUT.

This requires a couple of rules here and there, among others a rule with
a 'socket' match.

As we took over tproxy maintenance, we reverted back to the original
scenario, using the routing changes as well. This means that you don't
need 'socket' match right now.

It does not mean that socket will never be reintroduced, I only want a
functional, stable tproxy4 version first, and then talk to DaveM and
Patrick about its possible inclusion in October, at Netfilter
Developers' Workshop, whether they really insist not including our
routing changes.

> 
> >By the way, let me introduce Panther, he is going to be the new tproxy
> >maintainer.
> >
> >As an additional item of interest, we've also published an experimental
> >git tree to http://people.balabit.hu/panther/tproxy4.git/
> 
> 403. Not a good day, today, is it? :)

git clone works for me here, you don't need an index page in order to
git clone to work.

-- 
Bazsi