[tproxy] Merging tproxy patch to standard kernel ?

NTPT NTPT at seznam.cz
Wed Jul 23 16:33:06 CEST 2008


I thin k CONNTRACK is not  so much burden in moder times and fast machines with plenty of ram . And may be using a connection tracking  wisely in your example can remove some budrden  from machine.

AFAIK, all traffic must  come through "-m socket"  match, witch control if packet belongs to a listenning transparent socket on the machine (if so, then mark it and route it to local interface). So each incomming packet must be checked against list of all opened transparent sockets.


Using conntrack may help reduce overhead MAy be like this. 

 iptables -t mangle -N DIVERT
 iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark //  coppy connection mark to packet
 iptables -t mangle -A PREROUTING  -m mark --mark 0x1/0xffffffff -j ACCEPT  // Already marked packets accept, unmarked to future processing..  
 iptables -t mangle -A PREROUTING -m state --state NEW   -j DIVERT  // only NEW connections to divert
 iptables -t mangle -A DIVERT -p tcpo -m socket -j MARK --set-xmark 0x1/0xffffffff
 iptables -t mangle -A DIVERT  -j CONNMARK  ---save-mark    // save mark on connection for with we have transparent socket
 iptables -t mangle -A DIVERT -j ACCEPT

In this, new connections are checked against -m socket and marked, mark is saved to whole connection and future packets for that connection are marked directly by CONNTRACK so matching a whole traffic against list of open transparent sockets is not needed... So in busy boxes, high TCP load and a lot of opened transparent sockets it MAY save lot of cpu cycles.

Or I am miss a point somewhere ?  



 NTPT

>  ------------ Původní zpráva ------------
>  Od: KOVACS Krisztian <hidden at sch.bme.hu>
>  Předmět: Re: [tproxy] Merging tproxy patch to standard kernel ?
>  Datum: 23.7.2008 14:40:18
>  ----------------------------------------
>  Hi,
>  
>  On h, júl 21, 2008 at 04:49:43 +0200, NTPT wrote:
>  > Redirecting ICMP related traffic - I am not an kernel / netfilter  hacker, 
>  but what to extend netfilter CONNMARK  for that purpose ?
>  > 
>  > Addition of        --restore-mark-related    option to CONNMARK target , witch
>  copy connmark from master connection to related traffic  probably will do this
>  job.
>  > 
>  > 
>  > so then it could look like this ?
>  > 
>  >         iptables -t mangle -N DIVERT
>  >         iptables -t mangle -A PREROUTING -p tcpo -m socket -j DIVERT
>  >         iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>  >         iptables -t mangle   -j CONNMARK  ---save-mark    // save mark on
>  connection
>  >         iptables -t mangle -A DIVERT -j ACCEPT
>  >         iptables -t mangle -p icmp  -j CONNMARK --restore-mark-related // copy
>  connmark from master conenction to its  related stuff
>  > 
>  > // now related ICMP traffic is marked too and can be directed by routing code
>  
>  Yes, you're right but this requires connection tracking -- while we would
>  like to be able to use tproxy without conntrack.
>  
>  But I like the idea... ;)
>  
>  -- 
>  KOVACS Krisztian
>  _______________________________________________
>  tproxy mailing list
>  tproxy at lists.balabit.hu
>  https://lists.balabit.hu/mailman/listinfo/tproxy
>  
>  
>  


More information about the tproxy mailing list