[tproxy] icmp support for tproxy 2.0.6 (linux 2.6.20)
Balazs Scheidler
bazsi at balabit.hu
Mon Mar 10 12:29:38 CET 2008
On Fri, 2008-03-07 at 08:00 +0100, Samuel B wrote:
> Hi,
>
> i've created a quick patch against TPROXY 2.0.6 adding ICMP protocol
> support to it. Special thing about this patch, is that it doesn't only
> rewrites destination of ICMP packet, but also payload of this packet
> (usually a TCP/UDP packet).
>
> Our primary motivation for implementing this is to enable PMTU
> discovery work for transparent network proxies that are invisible on network,
> and that make tproxy connections to remote hosts.
>
> So with rule like this:
>
> iptables -t tproxy -A PREROUTING -p icmp --icmp-type fragmentation-needed \
> -m u32 --u32 "48&0xffff=80" -j TPROXY --on-ip
> 1.1.1.1 --on-port 0
>
> one can redirect fragmentation-needed icmp packets sent as a reply
> to connection
> to port 80 with too big MTU, to kernel and that will handle it and
> adjust PMTU for
> given connection.
>
> I hope someone will help this. When we upgrade to newer tproxy I'll possibly
> create patch for it (and maybe it will be more intelligent ;-)
I don't think this is necessary. tproxy 2 used NAT, which took care of
translating ICMP packets properly.
At least I know it worked at some time, although it was a long time ago
when I've personally checked it.
--
Bazsi
More information about the tproxy
mailing list