| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Oct 2010 07:16:42 +0200 From: Michael Kerrisk <mtk.manpages@...il.com> To: Balazs Scheidler <bazsi@...abit.hu> Cc: KOVACS Krisztian <hidden@....bme.hu>, David Miller <davem@...emloft.net>, linux-net@...r.kernel.org, netdev <netdev@...r.kernel.org> Subject: Re: Documentation for IP_TRANSPARENT? Hello Bazsi A long time after your mail, I've now added the text you supplied below. The changes are now available via git, and will be in man-pages-3.29. However, I have a few small questions that you can maybe clarify. See below. On Tue, Dec 9, 2008 at 2:17 PM, Balazs Scheidler <bazsi@...abit.hu> wrote: > Hi, > > On Mon, 2008-11-24 at 11:06 -0500, Michael Kerrisk wrote: >> Hello Krisztian, >> >> Your 2.6.27 patch adds the IP_TRANSPARENT socket option. Could you >> please supply some documentation (plain text is fine) suitable for >> inclusion in the ip(7) man page. > > Although it was Krisztian who originally submitted the patches, but I > also did some things about them, so here I gave the documentation part a > spin. > > There are some other related options, that are undocumented right now, > so I tried to give documentation on those as well. > > IP_FREEBIND > Enable binding to IP addresses that do not currently exist. When > enabled on a TCP or UDP socket, the bind(2) call referencing a > non-existing IP address will succeed. This functionality is useful > if the specified IP address is dynamic (e.g. assigned to a PPP device) > and is down at the time when the application is trying to bind to it. > This setsockopt is the per-socket equivalent to ip_nonlocal_bind sysctl. > > IP_TRANSPARENT > Enable transparent proxying on this socket. This socket option allows > the calling application to bind to a non-local IP address and operate > both as a client and a server with the foreign address as the local > endpoint. NOTE: this requires that routing be set up in a way that > packets going to the foreign address are routed through the tproxy box. Can you say a few words explaining what is meant by "tproxy box". Also, should one write "TProxy" here, analogous with "TProxy" below? > Enabling this socket option requires superuser privileges > (more specifically the CAP_NET_ADMIN capability). > > TProxy redirection with the iptables TPROXY target also requires that > this option be set on the redirected socket. In iptables(8), I find no mention of TPROXY. Is it just that the iptables(8) man page is not up to date? > IP_RECVORIGDSTADDR > Enables the IP_ORIGDSTADDR ancillary message in recvmsg(2) in which > the kernel returns the original destination address of a datagram. The > ancillary message contains a "struct sockaddr_in" instance. Do you happen to know of any userspace test code that demonstrates the use of IP_RECVORIGDSTADDR? Thanks for this documentation, and sorry it took so long to make its way into man-pages. Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Author of "The Linux Programming Interface"; http://man7.org/tlpi/ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists