[tproxy] tproxy 4.1.0 and kernel 2.6.24
Ming-Ching Tiew
mingching.tiew at redtone.com
Mon Feb 4 17:09:30 CET 2008
Laszlo Attila Toth wrote:
>
> AFAIK the older version is for 2.6.23 (in October), the newer for the
> net-2.6 (originally net-2.6.25), also 2.6.24 is not explicitly supported.
Understand.
>
> You may missed to set up routing:
>
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> It is required for tproxy.
>
Noted.
The new FWMARK setup requirement is a little confusing to me at this
moment. I will probably ask this in a separate post.
> > 3. In the bridge mode case, when I execute a simple 'ip spoofing'
> > program ( which I posted
> > here previously, but I changed IP_FREEBIND to IP_TRANSPARENT ),
> > there packets
> > appearing in the DIVERT target and the TPROXY target, but they are
> > delivered to
> > the machined which IP has been spoofed ( by right they are supposed
> > to be delivered
> > locally to the spoofing program ).
>
> Does this occur when you use advanced routing?
>
I have identified the reason for this to fail to work.
Basically it failed to work earlier because :-
1 ) I did not set up the route as mentioned above.
2 ) Again, tproxy over bridge device has the same old problem that it
requires
special tricks ( mentioned a few times here in this list ) to get
it right.
So latest information is that tproxy 4.1.0 works in bridge mode (
subject to one
has a fix/workaround to the bridge problem - which is needed for tproxy
4.0.x
as well ).
>
> We know this issue, we are going to fix this as soon as we find a good
> solution.
>
Noted.
> > 5. When I execute ebtables commands on the br0 interface, there will be
> > kernel panic.
>
> I'm afraid not familiar with ebtables.
>
I will verify if the system will panic if I don't apply the tproxy patch.
The reason why 'ebtables' is brought into the picture is to fix/workaround
the bridge problem mention above. I used that for tproxy 4.0.x.
Regards.
More information about the tproxy
mailing list