[tproxy] icmp support for tproxy 2.0.6 (linux 2.6.20)

Balazs Scheidler bazsi at balabit.hu
Mon Mar 10 12:29:38 CET 2008

On Fri, 2008-03-07 at 08:00 +0100, Samuel B wrote:
> Hi,
>    i've created a quick patch against TPROXY 2.0.6 adding ICMP protocol
>    support to it. Special thing about this patch, is that it doesn't only
>    rewrites destination of ICMP packet, but also payload of this packet
>    (usually a TCP/UDP packet).
>    Our primary motivation for implementing this is to enable PMTU
>    discovery work for transparent network proxies that are invisible on network,
>    and that make tproxy connections to remote hosts.
>    So with rule like this:
>     iptables -t tproxy -A PREROUTING -p icmp --icmp-type fragmentation-needed \
>                        -m u32 --u32 "48&0xffff=80" -j TPROXY --on-ip
> --on-port 0
>     one can redirect fragmentation-needed icmp packets sent as a reply
> to connection
>     to port 80 with too big MTU, to kernel and that will handle it and
> adjust PMTU for
>     given connection.
>     I hope someone will help this. When we upgrade to newer tproxy I'll possibly
>     create patch for it (and maybe it will be more intelligent ;-)

I don't think this is necessary. tproxy 2 used NAT, which took care of
translating ICMP packets properly.

At least I know it worked at some time, although it was a long time ago
when I've personally checked it.


More information about the tproxy mailing list