| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 08 Oct 2008 10:32:22 +1000 From: Philip Craig <philipc@...pgear.com> To: Jan Engelhardt <jengelh@...ozas.de> CC: KOVACS Krisztian <hidden@....bme.hu>, David Miller <davem@...emloft.net>, Patrick McHardy <kaber@...sh.net>, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org Subject: Re: [net-next PATCH 16/16] Add documentation Jan Engelhardt wrote: >> +2. Redirecting traffic >> +====================== >> + >> +Transparent proxying often involves "intercepting" traffic on a router. This is >> +usually done with the iptables REDIRECT target, however, there are serious >> +limitations of that method. One of the major issues is that it actually >> +modifies the packets to change the destination address -- which might not be >> +acceptable in certain situations. (Think of proxying UDP for example: you won't >> +be able to find out the original destination address. Even in case of TCP >> +getting the original destination address is racy.) > > IIRC, you _can_ find out, though I agree it's rather a hack (with > tproxy, you can just use the address as received via recvmsg): > > getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, &sockaddr, &sizeptr); Yes, but the problem is that SO_ORIGINAL_DST is only implemented for TCP. And I guess that the race for TCP is that the conntrack may not exist when you call getsockopt() (not sure that is something you'll hit in practice though). -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists