Hi,
I have the intent to develop real transparent proxy support into the kernel
2.4 series (not a backport of the original 2.2 code)
Since at a few places it affects network core I asked the question below on
netfilter-devel and they directed me to here.
Could you please comment on it?
For a reference, the implementation tries to touch the networking code the
least possible, so it rewrites destination addresses prior they enter the
networking core. Its a simple, stateless DNAT.
On Wed, Mar 27, 2002 at 08:59:01AM +0100, Harald Welte wrote:
> On Tue, Mar 26, 2002 at 04:21:04PM +0100, Balazs Scheidler wrote:
> > Hi,
> >
> > I found some time to get back to my transparent proxy support for Netfilter.
>
> cool. We'd really like to see this getting forward.
>
> > - TPROXY target redirects a session
> >
> > - the original destination address/port number is stored in the IPCB() part
> > of the skb
> >
> > - as soon as the socket is created this address/port number is copied into
> > sk->tp_pinfo.af_tcp (struct tcp_opt) This would happen in tcp_v4_hnd_req()
> >
> > - this information is queried by the application using a getsockopt call to
> > fetch the original destination address, the getsockopt can be implemented
> > by registering an nf_sockopt_ops
> >
> > I'd like to have the core-members advice, is this a good way? Harald?
>
> This looks fine to me, but I'm not as much into the sockets code as others
> are.
>
> If you want to make it really correct, I'd send that Mail to
> the netdev@xxxxxxxxxxx Mailinglist.
>
> David Miller, Andi Kleen and Alexey Kuznetsov (the networking gods) are
> hanging
> out on that list, so you might get some comments related the 'abuse' of
> tp_pinfo.af_tcp and IPCB() from them.
>
> Based on their reaction you will see if there is a need to change something
> or if they would like something like this in the kernel.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
|