|| ||KOVACS Krisztian <firstname.lastname@example.org>|
|| ||David Miller <email@example.com>|
|| ||[net-next PATCH 00/16] Transparent proxying patches, take six|
|| ||Wed, 01 Oct 2008 16:24:31 +0200|
|| ||Patrick McHardy <firstname.lastname@example.org>, email@example.com,
This is the sixth round of transparent proxying patches recently
discussed on the Netfilter Workshop. Since the last incarnation 
we've added support for related ICMP packets in the socket
match. Should apply cleanly on top of net-next-2.6. Could you please
apply patches 1-11 (those touching core networking parts) and I'll ask
Patrick McHardy to take care of patches 12-16 (the Netfilter parts).
The aim of the patchset is to make non-locally bound sockets work both
for receiving and sending. The target is IPv4 TCP/UDP at the moment.
Speaking of the patches, there are two big parts:
* Output path (patches 1-7): these modifications make it possible to
send IPv4 datagrams with non-local source IP address by:
- Introducing a new flowi flag (FLOWI_FLAG_ANYSRC) which disables
source address checking in ip_route_output_slow(). This is
also necessary for some of the tricks LVS does. 
- Adding the IP_TRANSPARENT socket option (setting this requires
CAP_NET_ADMIN to prevent source address spoofing).
- Gluing these together across the TCP/UDP code.
* Input path (patches 8-15): these changes add redirection support
for TCP along with an iptables target implementing NAT-less traffic
interception, and an iptables match to make ahead-of-time socket
lookups on PREROUTING. These combined with a set of iptables rules
and policy routing make non-locally bound sockets work.
- IPv4 TCP and UDP input path is modified to use this stored socket
reference if it's present.
- Netfilter IPv4 defragmentation is split into a separate
module. (This could make sense independently of tproxy and
conntrack, for example to have a stateless firewall which still
does fragment reassembly.)
- The 'socket' iptables match does a socket lookup on the
destination address and matches if a socket was found.
- The 'TPROXY' iptables target provides a way to intercept traffic
without NAT -- it does an ahead-of-time socket lookup on the
configured address and caches the socket reference in the skb.
The last patch adds a short intro on how to use it. A trivial patch
for netcat demonstrating the necessary modifications for proxies is
available separately at . Squid has support for it in the 3.HEAD
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to firstname.lastname@example.org
More majordomo info at http://vger.kernel.org/majordomo-info.html