[tproxy] Transparent proxying - different approach - NAT on demand.

NTPT NTPT at seznam.cz
Wed Jan 21 01:42:38 CET 2009

Hi all.

I have some proposition about squid and tproxy. I call it "NAT ON DEMAND". I am not really a good C programmer 
or kernel hacker, but...

AFAIK in early tproxy days a dynamically created SNAT and DNAT rules, was considered but this idea was abandon as unfeasible. 

My idea is to allow "setting nat on application explicit demand". To create a infrastructure in with userspace 
application (squid for example) can send a "demand"  for source address to witch their outgoing connections 
should be natted to - on per socket basis.Usage in transparent proxying of all kind. Especially useful for SQUID and realy transparent proxy scenario.

The idea is roughly inspired and is analogic to  "setting FWMARK from userspace", an old kernel patch that implement ioctl for setting fwmark on local originated packets on per socket basis. See http://oss.sgi.com/archives/netdev/2001-12/msg00053.html

1:applications should be able  to explicitly set on per socket basis, on wich IP address they need outgoin connection to be SNATed. Probably add one 32bit item to skbuff and appropriate mechanizm for setting it from userspace

2: change netfilter / iptables to allow "-j SNAT --to-demand" option to witch set a source of the connection to address that application demanded

3: add "-m natdemand" iptables match  to  find if local originator of this connection demand NAT for it (ie if the additional field in skbuff is not 0x0 ).

4: patch squid to request a nat for its outgoing connections. Only thing that it should to take a client ip address and "demand it"

Usage like this

in squid conf

acl src      transparent_clients # set ACL for clients network that we need handled transparently 
nat_on_demand                transparent_clients          # demand specific SNAT for all outgoing connections (ie connections that fetching content) it made on proxying clients from this network. ie take IP of the squid client and demand  SNAT to this IP for outgoing sockets that fetching data for that client on cache miss (sorry my bad english)  
in iptables:

iptables -t nat -I OUTPUT (or POSTROUTING ?) -m natdemand -j SNAT --to-demand # to tell netfilter to SNAT source address of that connection to what application demanded. ie copy address stored in additional skbbuff field 

More information about the tproxy mailing list