[tproxy] The future of tproxy

Balazs Scheidler bazsi at balabit.hu
Sun May 27 00:19:43 CEST 2007


On Sat, 2007-05-26 at 22:45 +0200, Jan Engelhardt wrote:
> On May 26 2007 22:32, Igmar Palsenberg wrote:
> >> > We definitely want to move away from NAT, and we don't plan to migrate
> >> > towards network channels. (at least for now).
> >> 
> >> But how is one supposed to fake addresses then?
> >
> > By bind()'ing to the remote address, like the way it was done in the Linux 2.2
> > days.
> 
> Yeah but you'd still need a local table that lists tproxied sockets, so
> that for an arbitrary incoming packet it can be decided whether it is
> to go through the INPUT or FORWARD chain (and subsequently, destination
> program/host).

The local table is the "socket hash". We do a socket lookup early in the
input path and divert the packet to the local IP stack by changing its
dst_entry.

-- 
Bazsi



More information about the tproxy mailing list