[tproxy] tproxy can't work with ip_conntrack

Dong Wei dong_wei at cpsecure.com
Wed Oct 22 10:11:09 CEST 2008 

Hi,

>> I think that we can add some new fields to identify the two HTTP
>> connections in ip_conntrack structure(one is Client->TPROXY Server,
>> and the other is TPROXY Server->HTTP Server).
>> I hope we can get the right conntrack when we just know the tuple
>> containing src_ip,src_port,dst_ip,dst_port. Because there is lots of
>> kernel code like this:
>>
>> 1. get the tuple 4 fields(src_ip,src_port,dst_ip,dst_port) from skb
>> 2. call: nf_conntrack_find_get(tuple) to find the corresponding ip_conntrack.
>> So in this case we can only know the 4 fields, we can't get any more
>> message from skb.
>>
>> Assuming there are 2 ip_conntrack:
>> [1]: 192.168.2.2:12345->192.168.1.2:80(client->TPROXY Server)
>> [2]: 192.168.2.2:12345->192.168.1.2:80(TPROXY Server->HTTP Server)
>> When we process TCP packets between client and TPROXY Server, we find
>> the conntrack for 192.168.2.2:123456->192.168.1.2:80, the result
>> should
>> be [1], and if the TCP packets belong to TPROXY Server and HTTP Server
>> connection, the result should be [2]
>>
>> Does anyone have good idea about the requirement mentioned above?
>
> I think most users work around the problem: you usually don't really
> need the source port to be preserved exactly and by choosing a different
> source port the problem goes away.
>
> (If you don't care about the source port then bind the socket to port 0
> and the kernel will choose an unused port.)

Thanks for your reply.  But, I think maybe this solution still have problems.

Here is a sample:
Client -> TPROXY Server (192.168.2.2:12345 ->192.168.1.2:80)
TPROXY Server -> HTTP Server(192.168.2.2:54321->192.168.1.2:80)
Now the two connections have different ip_conntrack. TPROXY Server use
port 54321 instead of 12345 as src port

Next time, the client connect to the HTTP Server
Client -> HTTP Server(192.168.2.2:54321 -> 192.168.1.2:80).
Now Client use the port 54321 connecting to 192.168.1.2:80(This is
common for a NAT server connecting to the same HTTP Server using
different src port)
When  TPROXY receive this packet, and find ip_conntrack. It will match
the old one - TPROXY Server -> HTTP Server.

This still exist the ip_conntrack conflict.

> --
> KOVACS Krisztian
>



-- 
Thanks
BR. Wei Dong

More information about the tproxy mailing list