[tproxy] tproxy 4.1.0 and kernel 2.6.24

Ming-Ching Tiew mingching.tiew at redtone.com
Mon Feb 4 17:09:30 CET 2008

Laszlo Attila Toth wrote:
> AFAIK the older version is for 2.6.23 (in October), the newer for the 
> net-2.6 (originally net-2.6.25), also 2.6.24 is not explicitly supported.


> You may missed to set up routing:
>  ip rule add fwmark 1 lookup 100
>  ip route add local dev lo table 100
> It is required for tproxy.


The new FWMARK setup requirement is a little confusing to me at this
moment. I will probably ask this in a separate post.

> > 3. In the bridge mode case, when I execute a simple 'ip spoofing'
> > program ( which I posted
> >     here previously, but I changed IP_FREEBIND to IP_TRANSPARENT  ),
> > there packets
> >     appearing in the DIVERT target and the TPROXY target, but they are
> > delivered to
> >     the machined which IP has been spoofed ( by right they are supposed
> > to be delivered
> >     locally to the spoofing program ).
> Does this occur when you use advanced routing?

I have identified the reason for this to fail to work.

Basically it failed to work  earlier because :-

1 ) I did not set up the route as mentioned above.

2 ) Again, tproxy over bridge device has the same old problem that it 
     special tricks ( mentioned a few times here in this list ) to get 
it right.

So latest information is that tproxy 4.1.0 works in bridge mode ( 
subject to one
has a fix/workaround to the bridge problem - which is needed for tproxy 
as well ).

> We know this issue, we are going to fix this as soon as we find a good 
> solution.


> > 5. When I execute ebtables commands on the br0 interface, there will be
> > kernel panic.
> I'm afraid not familiar with ebtables.

I will verify if the system will panic if I don't apply the tproxy patch.

The reason why 'ebtables' is brought into the picture is to fix/workaround
the bridge problem mention above. I used that for tproxy 4.0.x.


More information about the tproxy mailing list