[tproxy] Transparent proxying - different approach - NAT on demand.
NTPT at seznam.cz
Wed Jan 21 01:42:38 CET 2009
I have some proposition about squid and tproxy. I call it "NAT ON DEMAND". I am not really a good C programmer
or kernel hacker, but...
AFAIK in early tproxy days a dynamically created SNAT and DNAT rules, was considered but this idea was abandon as unfeasible.
My idea is to allow "setting nat on application explicit demand". To create a infrastructure in with userspace
application (squid for example) can send a "demand" for source address to witch their outgoing connections
should be natted to - on per socket basis.Usage in transparent proxying of all kind. Especially useful for SQUID and realy transparent proxy scenario.
The idea is roughly inspired and is analogic to "setting FWMARK from userspace", an old kernel patch that implement ioctl for setting fwmark on local originated packets on per socket basis. See http://oss.sgi.com/archives/netdev/2001-12/msg00053.html
1:applications should be able to explicitly set on per socket basis, on wich IP address they need outgoin connection to be SNATed. Probably add one 32bit item to skbuff and appropriate mechanizm for setting it from userspace
2: change netfilter / iptables to allow "-j SNAT --to-demand" option to witch set a source of the connection to address that application demanded
3: add "-m natdemand" iptables match to find if local originator of this connection demand NAT for it (ie if the additional field in skbuff is not 0x0 ).
4: patch squid to request a nat for its outgoing connections. Only thing that it should to take a client ip address and "demand it"
Usage like this
in squid conf
acl src 192.168.1.0/24 transparent_clients # set ACL for clients network that we need handled transparently
nat_on_demand transparent_clients # demand specific SNAT for all outgoing connections (ie connections that fetching content) it made on proxying clients from this network. ie take IP of the squid client and demand SNAT to this IP for outgoing sockets that fetching data for that client on cache miss (sorry my bad english)
iptables -t nat -I OUTPUT (or POSTROUTING ?) -m natdemand -j SNAT --to-demand # to tell netfilter to SNAT source address of that connection to what application demanded. ie copy address stored in additional skbbuff field
More information about the tproxy