[tproxy] tproxy4 future

Jan Engelhardt jengelh at computergmbh.de
Tue Sep 18 12:12:23 CEST 2007

On Sep 18 2007 12:01, Balazs Scheidler wrote:
>As some of you might know, the 5th Netfilter Developer's Workshop took
>place last week in Karlsruhe, Germany. Krisztian Kovacs (hidden) and me

Krisztián was not hidden at all ;-) [scnr]

>The most important changes relative to the current 4.0.x patches are:
> * the tproxy table is gone, TPROXY targets need to be added to the
>mangle table instead
> * the tproxy match is gone, a new "socket" match is introduced
> * instead of using a separate routing trick to divert packets to the
>local IP stack inside the TProxy target, we are now using stock routing
>decisions, and need a bit in the packet MARK field, and perform
>diversion by using an advanced routing rule.
> * instead of IP_FREEBIND we are using a setsockopt named IP_TRANSPARENT
>which requires CAP_NET_ADMIN privilege

Hm, the working sample code I have here (again, based upon Krisztián's
tproxy-4.0_20060722 I was sent) requires both IP_FREEBIND and
IP_TRANSPARENT. Does this still hold?

># connections to be redirected should use the TPROXY target, which sets 
># up redirection, and marks the packet according to its 'tproxy-mark' 
># argument
>iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50080

Is this a mark distinct from the packet mark? I remember being put
into the boiling cooking pot when I tried to have chaostables use
packet and connection marks for its tricks.

I am still unsure what exactly -j TPROXY is supposed to do.
Case 1 I can imagine: no squid, hence routing the packet with its
original address is a no-problem.
Case 2 to imagine: with squid; can use -j REDIRECT instead of -j TPROXY.

What did I miss?

More information about the tproxy mailing list