[tproxy] icmp support for tproxy 2.0.6 (linux 2.6.20)
Samuel B
ja.tproxy at mailnull.com
Fri Mar 7 08:00:43 CET 2008
Hi,
i've created a quick patch against TPROXY 2.0.6 adding ICMP protocol
support to it. Special thing about this patch, is that it doesn't only
rewrites destination of ICMP packet, but also payload of this packet
(usually a TCP/UDP packet).
Our primary motivation for implementing this is to enable PMTU
discovery work for transparent network proxies that are invisible on network,
and that make tproxy connections to remote hosts.
So with rule like this:
iptables -t tproxy -A PREROUTING -p icmp --icmp-type fragmentation-needed \
-m u32 --u32 "48&0xffff=80" -j TPROXY --on-ip
1.1.1.1 --on-port 0
one can redirect fragmentation-needed icmp packets sent as a reply
to connection
to port 80 with too big MTU, to kernel and that will handle it and
adjust PMTU for
given connection.
I hope someone will help this. When we upgrade to newer tproxy I'll possibly
create patch for it (and maybe it will be more intelligent ;-)
Sam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tproxy-icmp.patch
Type: text/x-patch
Size: 6372 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/tproxy/attachments/20080307/b4a11b6f/attachment.bin
More information about the tproxy
mailing list