[tproxy] Fw: Tproxy4, fwmark and netfilter route_me_harder

Ming-Ching Tiew mingching.tiew at redtone.com
Mon Jan 21 02:21:31 CET 2008 

Forwarded here just in case some of you are not in netfilter-devel list.

----- Original Message ----- 
From: "Patrick McHardy" <kaber at trash.net>
To: "Ming-Ching Tiew" <mingching.tiew at redtone.com>
Cc: <netfilter-devel at vger.kernel.org>; <tproxy at lists.balabit.hu>
Sent: Sunday, January 20, 2008 11:31 PM
Subject: Re: Tproxy4, fwmark and netfilter route_me_harder


> Ming-Ching Tiew wrote:
> > I  sort of just forward this to netfilter-devel.
> >  
> > For those who in netfilter-devel but not in tproxy mail list, a little 
> > background here :-
> >  
> > I discovered after applying the tproxy4 patch which allows one to spoof 
> > originating traffic with a foreign IP address ( for the purpose of doing 
> > transparent proxy ) that after doing it, traffics with foreign IP will 
> > not leave the system if there is a FWMARK in the mangle table OUTPUT 
> > chain. Any MARK will screw up the routing.
> >  
> > And the patch above seems to be able to get the packets out of the machine
> > again.
> > 
> > So the motivation here perhaps someone here could throw some light as to 
> > how this situation is best handled.
> 
> 
> IIRC the current TPROXY patches use a flag in the dst_entry
> to indicate that the source address is non-local. So
> ip_route_me_harder should probably check that flag and
> use routing for foreign addresses for that case.
> -


--------------------------------------------
Important Warning! 

*************************** 

This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the use of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. If this e-mail was sent to you by mistake, please take the time to notify the sender so that they can identify the problem and avoid any more mistakes in sending e-mail to you. The unauthorised use of information contained in this communication or its attachments may result in legal action against any person who uses it.

More information about the tproxy mailing list