[tproxy] I'm having a little trouble binding a tproxy and I might do something wrong.

Eliezer Croitoru eliezer at ngtech.co.il
Tue Feb 5 02:57:10 CET 2013

On 2/4/2013 5:46 PM, KOVACS Krisztian wrote:
> Yes, but only for local sockets. However, in this case the endpoint
> address is first chosen by the client's TCP stack and then on the
> proxy's TCP stack. The latter does not have a socket bound to the
> address yet, so it will be happy to choose the exact same port.
 From the proxy point of view it's a connection and he can use a random 
port which the OS will make sure that is ok since it actually pairs the 
src IP to the dst IP when binding.
I wanted the same as you.
This adds a bit complexity to the kernel and by the way the tproxy 
socket is a local socket from OS eyes but have another non local IP.
You can try it in the real world and see that unless you are working 
with specific network protocols and you need to know things about the 
src side you wont have any troubles with TPROXY and TCP.

There is too much experience with it that makes it a fact the it works.

 From any application the TPROXY outgoing socket is another FD so the 
dst and src are only important for loging.

What are you working on?


Eliezer Croitoru
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il

More information about the tproxy mailing list