[tproxy] tproxy 4.1.0 and kernel 2.6.24
mingching.tiew at redtone.com
Mon Feb 4 17:09:30 CET 2008
Laszlo Attila Toth wrote:
> AFAIK the older version is for 2.6.23 (in October), the newer for the
> net-2.6 (originally net-2.6.25), also 2.6.24 is not explicitly supported.
> You may missed to set up routing:
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
> It is required for tproxy.
The new FWMARK setup requirement is a little confusing to me at this
moment. I will probably ask this in a separate post.
> > 3. In the bridge mode case, when I execute a simple 'ip spoofing'
> > program ( which I posted
> > here previously, but I changed IP_FREEBIND to IP_TRANSPARENT ),
> > there packets
> > appearing in the DIVERT target and the TPROXY target, but they are
> > delivered to
> > the machined which IP has been spoofed ( by right they are supposed
> > to be delivered
> > locally to the spoofing program ).
> Does this occur when you use advanced routing?
I have identified the reason for this to fail to work.
Basically it failed to work earlier because :-
1 ) I did not set up the route as mentioned above.
2 ) Again, tproxy over bridge device has the same old problem that it
special tricks ( mentioned a few times here in this list ) to get
So latest information is that tproxy 4.1.0 works in bridge mode (
subject to one
has a fix/workaround to the bridge problem - which is needed for tproxy
as well ).
> We know this issue, we are going to fix this as soon as we find a good
> > 5. When I execute ebtables commands on the br0 interface, there will be
> > kernel panic.
> I'm afraid not familiar with ebtables.
I will verify if the system will panic if I don't apply the tproxy patch.
The reason why 'ebtables' is brought into the picture is to fix/workaround
the bridge problem mention above. I used that for tproxy 4.0.x.
More information about the tproxy