[tproxy] [PATCH 00/11] TProxy for IPv6
bazsi at balabit.hu
Tue Sep 8 20:42:26 CEST 2009
On Fri, 2009-09-04 at 18:07 +1200, Amos Jeffries wrote:
> Balazs Scheidler wrote:
> > [ Sorry if this reaches you twice, I sent to the wrong address the first time ]
> > I've just pushed a set of patches that implement TProxy for IPv6 to
> > http://git.balabit.hu/bazsi/tproxy-2.6.git
> > The patches are also posted in reply to this mail.
> > Although some work is still needed, basic testing shows that it works all
> > right.
> > The accompanying iptables patches are available at
> > http://git.balabit.hu/bazsi/iptables-tproxy.git
> > There are some things left to do:
> > * the recognition of related ICMPv6 packets missing (from xt_socket.c)
> > * I should probably split xt_TPROXY/xt_socket to IPv4 and IPv6 modules, as
> > right now those depend on both stacks at the same time.
> > I'm on a holiday right now, thus I might not respond to comments in a timely
> > manner, however I'm interested in any comments/feedback nevertheless.
> > Harry, I didn't remember that you actually wanted to work on TProxy for
> > IPv6, I just vaguely remembered that there was someone asking for IPv6
> > support, thus I implemented this without being in the know. If you started
> > hacking, I hope that we didn't completely duplicate effort. I'd appreciate
> > help in the missing bits and/or testing whichever fits you best.
> > Also, I have written a Python test script to test TProxy functionality
> > automatically both for IPv4 and IPv6, I can post that as well if anyone is
> > interested.
> I'm interested :)
> Now that you have done this I'm going to have to find a robust userland
> run-time test to see if the underlying TPROXY is v4-only or v6-enabled.
> If anyone has suggestions they would be welcome.
> Thank you very much by the way.
The script I wrote is not a runtime test, it is a functional test that
tests various TPROXY scenarios for proper functionality.
It basically assumes that:
1) you run it on the 'client' host, and it has ssh connectivity to the
2) it assumes that IP/route configuration is already prepared
3) it uses hardwired IP addresses, but generates iptables/ip6tables
I used a virtual machine running on my development computer to do the
dead:1::1/64 is the client
dead:1::2/64 is the proxy box
dead:2::1/64 is the server behind the proxy box
The script basically copies an agent script to the other box
(test-agent.py) and uses that to change iptables config/start listeners
as needed. Then initiates tcp/udp connections to the target host and
checks if the proper listener received the new connection or a bogus
I'm not that responsive these days, but I'm glad to help.
Last but not least, here's the gitweb interface:
and the git URL
More information about the tproxy