lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 13 Oct 2007 19:28:57 +0200 From: KOVACS Krisztian <hidden@....bme.hu> To: David Miller <davem@...emloft.net> Cc: Patrick McHardy <kaber@...sh.net>, netdev@...r.kernel.org Subject: [PATCH 00/14] Transparent Proxying Patches, Take 5 Hi Dave, This is the fifth round of transparent proxying patches following recent discussion on netfilter-devel [1,2]. The aim of the patchset is to make non-locally bound sockets work both for receiving and sending. The target is IPv4 TCP/UDP at the moment. Speaking of the patches, there are two big parts: * Output path (patches 1-6): these modifications make it possible to send IPv4 datagrams with non-local source IP address by: - Introducing a new flowi flag (FLOWI_FLAG_ANYSRC) which disables source address checking in ip_route_output_slow(). This is also necessary for some of the tricks LVS does. [3] - Adding the IP_TRANSPARENT socket option (setting this requires CAP_NET_ADMIN to prevent source address spoofing). - Gluing these together across the TCP/UDP code. * Input path (patches 7-13): these changes add redirection support for TCP along with an iptables target implementing NAT-less traffic interception, and an iptables match to make ahead-of-time socket lookups on PREROUTING. These combined with a set of iptables rules and policy routing make non-locally bound sockets work. - Netfilter IPv4 defragmentation is split into a separate module. It's not particularly pretty but I see no other way of making sure the 'socket' match gets no fragmented IPv4 packets. - The 'socket' iptables match does a socket lookup on the destination address and matches if a socket was found. - The 'TPROXY' iptables target provides a way to intercept traffic without NAT -- it does an ahead-of-time socket lookup on the configured address and caches the socket reference in the skb. - IPv4 TCP and UDP input path is modified to use this stored socket reference if it's present. The last patch adds a short intro on how to use it. A trivial patch for netcat demonstrating the necessary modifications for proxies is available separately at [4]. References: [1] http://marc.info/?l=netfilter-devel&m=119118672703285&w=2 [2] http://marc.info/?l=netfilter-devel&m=119135774918622&w=2 [3] http://marc.info/?l=linux-netdev&m=118065358510836&w=2 [4] http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch -- KOVACS Krisztian - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists