[tproxy] need help with haproxy routing rules

[Jeffrey 'jf' Lim]

hi, folks, I've been scratching my head over this, and need your help with
this.

I've got haproxy compiled with tproxy support, and it's working fine with
regards to point no. 3 ("Initiating connections with a foreign address as a
source") - I've got it binding and connecting properly, and it's able to
send out packets using a foreign address. Problem now is, when the reply
packet comes back, haproxy cant seem to be able to detect it?

The route rules in the readme are tuned for a full transparent proxy,
listening on another port other than the port of the traffic you want to
transparently listen to, which is fine for squid - but this is not what I'm
looking for.

As far as i've figured, the following rules should work, but dont somehow:

======

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcpo -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
iptables -t mangle -A DIVERT -j ACCEPT

=====

The rule
  iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port
<proxyport> --tproxy-mark 0x1/0x1

isn't applicable here, because haproxy IS supposed to be "non-transparent"
at the client end - it IS supposed to listen in directly on the ip and port
for web traffic - that's the point of a load balancer, so... Could somebody
perhaps tell me what i need to complete the setup, and get the packets to be
forwarded to haproxy?

thanks,
-jf

--
In the meantime, here is your PSA:
"It's so hard to write a graphics driver that open-sourcing it would not
help."
-- Andrew Fear, Software Product Manager, NVIDIA Corporation
http://kerneltrap.org/node/7228
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20080630/8cc9fc13/attachment.htm