[tproxy] I'm having a little trouble binding a tproxy and I might do something wrong.

KOVACS Krisztian hidden at balabit.hu
Mon Feb 4 16:46:11 CET 2013


On Mon 04 Feb 2013 01:19:10 PM CET, Eliezer Croitoru wrote:
> On 2/4/2013 2:02 PM, KOVACS Krisztian wrote:
>> Unfortunately not using the same source port is not an ultimate
>> solution, either: if you use a random source port you still have a
>> chance that it will clash with the endpoint of another existing TCP
>> connection.
> Most likely to not since it's a pair of ip+port to ip+port.
> Your basic assumption is that there are two devices that controls the
> same ip and port assignment.
> on a machine the OS tries to avoid using the same port for the same dst
> as a basic rule.

Yes, but only for local sockets. However, in this case the endpoint 
address is first chosen by the client's TCP stack and then on the 
proxy's TCP stack. The latter does not have a socket bound to the 
address yet, so it will be happy to choose the exact same port.

> on a nat machine it depends on the nat type but linux from box don't do
> this kind of nat that will make such thing happen.

Yep, that's true, the NAT code avoids conntrack duplicates at all 
costs. (Even if that means an extra implicit translation.)

KOVACS Krisztian

More information about the tproxy mailing list