lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 3 Oct 2008 10:01:18 -0400 (EDT)
From:	Jan Engelhardt <>
To:	KOVACS Krisztian <>
cc:	David Miller <>,
	Patrick McHardy <>,,
Subject: Re: [net-next PATCH 16/16] Add documentation

On Wednesday 2008-10-01 10:24, KOVACS Krisztian wrote:

>+Transparent proxy support
>+This feature adds Linux 2.2-like transparent proxy support to current kernels.
>+To use it, enable NETFILTER_TPROXY, the socket match and the TPROXY target in
>+your kernel config. You will need policy routing too, so be sure to enable that
>+as well.

To use server-side transparent proxying (i.e. using a foreign address
when sending out packets), only tproxy_core is needed.

>+fd = socket(AF_INET, SOCK_STREAM, 0);

You want to be using IPPROTO_TCP here, as I doubt there is a guarantee
that 0 will never choose SCTP.

>+int value = 1;

Const is good:
	static const unsigned int value = 1;

>+setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value));
>+/* - 8< -*/
>+name.sin_family = AF_INET;
>+name.sin_port = htons(0xCAFE);
>+name.sin_addr.s_addr = htonl(0xDEADBEEF);

Replace last one by
	inet_pton(PF_INET, "", &name.sin_addr);

(Hacking anything inside sin_addr is, strictly speaking, breaking the
“encapsulation”, as far as that “exists” in C.)

>+bind(fd, &name, sizeof(name));

You will need

	bind(fd, (const void *)&name, sizeof(name));

to avoid a compiler warning ;-)

>+2. Redirecting traffic
>+Transparent proxying often involves "intercepting" traffic on a router. This is
>+usually done with the iptables REDIRECT target, however, there are serious
>+limitations of that method. One of the major issues is that it actually
>+modifies the packets to change the destination address -- which might not be
>+acceptable in certain situations. (Think of proxying UDP for example: you won't
>+be able to find out the original destination address. Even in case of TCP
>+getting the original destination address is racy.)

IIRC, you _can_ find out, though I agree it's rather a hack (with 
tproxy, you can just use the address as received via recvmsg):

	getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, &sockaddr, &sizeptr);

To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists