lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20070107141134.GA13543@prithivi.gnumonks.org>
Date:	Sun, 7 Jan 2007 15:11:34 +0100
From:	Harald Welte <laforge@...filter.org>
To:	KOVACS Krisztian <hidden@...abit.hu>
Cc:	netfilter-devel@...ts.netfilter.org, netdev@...r.kernel.org
Subject: Re: [PATCH/RFC 00/10] Transparent proxying patches version 4

Hi Krisztian!

On Wed, Jan 03, 2007 at 05:33:57PM +0100, KOVACS Krisztian wrote:
> So instead of using NAT to dynamically redirect traffic to local
> addresses, we now rely on "native" non-locally-bound sockets and do
> early socket lookups for inbound IPv4 packets. 

It's good to see a solid implementation of this 'old idea'.  

Just as a quick historical note to netdev:  This is the way how the
netfilter project  advised the balabit guys to implement fully
transparent proxy support, after having seen the complexity of the old
nat-based TPROXY patches.

So I personally support this patchset and vote for it to be included
(with whatever modifications netdev deems apropriate)

It might be that there now is the experimental netchannels system which
might provide an even better way for transparent proxy support.

However, ever since ip_tables was merged in the 2.3.x days, we have
lacked good support for transparent proxies.  Now that the first
incarnation of the NAT based TPROXY patch for 2.4.x had to be developed
and maintained out-of-tree for many years, I definitely think it's
better to merge the new, way less intrusive, patchset.  

Some interested party can work on a netchannels implementation later on,
but that's the next generation...

Cheers,
-- 
- Harald Welte <laforge@...filter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ