[tproxy] icmp support for tproxy 2.0.6 (linux 2.6.20)

Samuel B ja.tproxy at mailnull.com
Fri Mar 7 08:00:43 CET 2008


   i've created a quick patch against TPROXY 2.0.6 adding ICMP protocol
   support to it. Special thing about this patch, is that it doesn't only
   rewrites destination of ICMP packet, but also payload of this packet
   (usually a TCP/UDP packet).

   Our primary motivation for implementing this is to enable PMTU
   discovery work for transparent network proxies that are invisible on network,
   and that make tproxy connections to remote hosts.

   So with rule like this:

    iptables -t tproxy -A PREROUTING -p icmp --icmp-type fragmentation-needed \
                       -m u32 --u32 "48&0xffff=80" -j TPROXY --on-ip --on-port 0

    one can redirect fragmentation-needed icmp packets sent as a reply
to connection
    to port 80 with too big MTU, to kernel and that will handle it and
adjust PMTU for
    given connection.

    I hope someone will help this. When we upgrade to newer tproxy I'll possibly
    create patch for it (and maybe it will be more intelligent ;-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: tproxy-icmp.patch
Type: text/x-patch
Size: 6372 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/tproxy/attachments/20080307/b4a11b6f/attachment.bin 

More information about the tproxy mailing list