[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <1223362870.8909.11.camel@nessa.odu>
Date: Tue, 07 Oct 2008 09:01:10 +0200
From: KOVACS Krisztian <hidden@....bme.hu>
To: Jan Engelhardt <jengelh@...ozas.de>
Cc: David Miller <davem@...emloft.net>,
Patrick McHardy <kaber@...sh.net>, netdev@...r.kernel.org,
netfilter-devel@...r.kernel.org
Subject: Re: [net-next PATCH 16/16] Add documentation
Hi,
On Fri, 2008-10-03 at 10:01 -0400, Jan Engelhardt wrote:
> On Wednesday 2008-10-01 10:24, KOVACS Krisztian wrote:
>
> >+Transparent proxy support
> >+=========================
> >+
> >+This feature adds Linux 2.2-like transparent proxy support to current kernels.
> >+To use it, enable NETFILTER_TPROXY, the socket match and the TPROXY target in
> >+your kernel config. You will need policy routing too, so be sure to enable that
> >+as well.
>
> To use server-side transparent proxying (i.e. using a foreign address
> when sending out packets), only tproxy_core is needed.
>
> >+fd = socket(AF_INET, SOCK_STREAM, 0);
>
> You want to be using IPPROTO_TCP here, as I doubt there is a guarantee
> that 0 will never choose SCTP.
>
> >+int value = 1;
>
> Const is good:
> static const unsigned int value = 1;
>
> >+setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value));
> >+/* - 8< -*/
> >+name.sin_family = AF_INET;
> >+name.sin_port = htons(0xCAFE);
> >+name.sin_addr.s_addr = htonl(0xDEADBEEF);
>
> Replace last one by
> inet_pton(PF_INET, "192.0.2.37", &name.sin_addr);
>
> (Hacking anything inside sin_addr is, strictly speaking, breaking the
> “encapsulation”, as far as that “exists” in C.)
>
> >+bind(fd, &name, sizeof(name));
>
> You will need
>
> bind(fd, (const void *)&name, sizeof(name));
>
> to avoid a compiler warning ;-)
Jan, while you're right I think the point of the aim of the example is
to show you that you only need to set the IP_TRANSPARENT flag before
being able to bind to a non-local address.
I'm not opposed to the changes, though, so could you please send a patch
on top of Dave's current net-next tree? Thanks.
>
> >+2. Redirecting traffic
> >+======================
> >+
> >+Transparent proxying often involves "intercepting" traffic on a router. This is
> >+usually done with the iptables REDIRECT target, however, there are serious
> >+limitations of that method. One of the major issues is that it actually
> >+modifies the packets to change the destination address -- which might not be
> >+acceptable in certain situations. (Think of proxying UDP for example: you won't
> >+be able to find out the original destination address. Even in case of TCP
> >+getting the original destination address is racy.)
>
> IIRC, you _can_ find out, though I agree it's rather a hack (with
> tproxy, you can just use the address as received via recvmsg):
>
> getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, &sockaddr, &sizeptr);
This is true only if you have connection tracking loaded while the new
tproxy can be used without conntrack.
--
KOVACS Krisztian
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists