| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 07 Oct 2008 09:01:10 +0200 From: KOVACS Krisztian <hidden@....bme.hu> To: Jan Engelhardt <jengelh@...ozas.de> Cc: David Miller <davem@...emloft.net>, Patrick McHardy <kaber@...sh.net>, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org Subject: Re: [net-next PATCH 16/16] Add documentation Hi, On Fri, 2008-10-03 at 10:01 -0400, Jan Engelhardt wrote: > On Wednesday 2008-10-01 10:24, KOVACS Krisztian wrote: > > >+Transparent proxy support > >+========================= > >+ > >+This feature adds Linux 2.2-like transparent proxy support to current kernels. > >+To use it, enable NETFILTER_TPROXY, the socket match and the TPROXY target in > >+your kernel config. You will need policy routing too, so be sure to enable that > >+as well. > > To use server-side transparent proxying (i.e. using a foreign address > when sending out packets), only tproxy_core is needed. > > >+fd = socket(AF_INET, SOCK_STREAM, 0); > > You want to be using IPPROTO_TCP here, as I doubt there is a guarantee > that 0 will never choose SCTP. > > >+int value = 1; > > Const is good: > static const unsigned int value = 1; > > >+setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value)); > >+/* - 8< -*/ > >+name.sin_family = AF_INET; > >+name.sin_port = htons(0xCAFE); > >+name.sin_addr.s_addr = htonl(0xDEADBEEF); > > Replace last one by > inet_pton(PF_INET, "192.0.2.37", &name.sin_addr); > > (Hacking anything inside sin_addr is, strictly speaking, breaking the > “encapsulation”, as far as that “exists” in C.) > > >+bind(fd, &name, sizeof(name)); > > You will need > > bind(fd, (const void *)&name, sizeof(name)); > > to avoid a compiler warning ;-) Jan, while you're right I think the point of the aim of the example is to show you that you only need to set the IP_TRANSPARENT flag before being able to bind to a non-local address. I'm not opposed to the changes, though, so could you please send a patch on top of Dave's current net-next tree? Thanks. > > >+2. Redirecting traffic > >+====================== > >+ > >+Transparent proxying often involves "intercepting" traffic on a router. This is > >+usually done with the iptables REDIRECT target, however, there are serious > >+limitations of that method. One of the major issues is that it actually > >+modifies the packets to change the destination address -- which might not be > >+acceptable in certain situations. (Think of proxying UDP for example: you won't > >+be able to find out the original destination address. Even in case of TCP > >+getting the original destination address is racy.) > > IIRC, you _can_ find out, though I agree it's rather a hack (with > tproxy, you can just use the address as received via recvmsg): > > getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, &sockaddr, &sizeptr); This is true only if you have connection tracking loaded while the new tproxy can be used without conntrack. -- KOVACS Krisztian -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists