[Top] [All Lists]

Re: TProxy, 2.4 Kernel and NetFilter

To: Jambunathan Kalyanasundaram <k_jambunathan@xxxxxxxxxxx>
Subject: Re: TProxy, 2.4 Kernel and NetFilter
From: KOVACS Krisztian <hidden@xxxxxxxxxx>
Date: Wed, 11 Feb 2004 20:58:38 +0100
Cc: Henrik Nordstrom <hno@xxxxxxxxxxxxxxx>, netfilter-devel@xxxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx
Mail-followup-to: Jambunathan Kalyanasundaram <k_jambunathan@xxxxxxxxxxx>, Henrik Nordstrom <hno@xxxxxxxxxxxxxxx>, netfilter-devel@xxxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.4i

On Wed, Feb 11, 2004 at 08:49:33AM +0100, Henrik Nordstrom wrote:
> > 2) But if I am not really interested in the overheads
> > imposed by the NetFilter, the only option is to patch
> > the Linux kernel with Balazs Scheidler's patch.
> Not sure this has less overhead.

  I'm sure it hasn't. TProxy was never intended to be a "faster redirect",
or something like that. If you do not care about almost full transparent
proxying, you don't need TProxy at all.

  The TProxy patch can be used to make the proxy transparent from both
sides: the client sends the packets to the server's IP, and the server
sees packets coming from the client's IP. However, this needs user-space
support in the proxy itself. And Gianni Tedesco's latest TProxy support
patch for Squid is known to be broken...

> > If I don't like something as heavyweight as Netfilter
> > and something that is as  "non standard" as patching
> > the kernel, are there any ways out ? 
> Yes, by configuring the client to use the proxy.

  Completely true. This is _the_ way to go if you can set all clients to
use the proxy.

> If it is a normal Internet proxy environment where the number of clients 
> are limited, and the proxy supports per-user selection of the outgoing 
> address (Squid does) then it is possible with the help of NAT.
> 1. Set up as many IP aliases on the proxy server as you have clients. Use
> one of the unassigned networks.
> 2. Configure the proxy to use one IP alias per client IP address.
> 3. Configure iptables NAT rules in OUTPUT to NAT these IP aliases back to
> the client IP address.

  Hmm... What a solution! :)

> If it is a reverse proxy or other environment where the client addresses 
> are not limited then this obviously can not be done and you must use the 
> tproxy patch.

  As I wrote, the patch for Squid would need some fixes before actually
using it... Unfortunately I don't know enough about Squid to be able to
make those fixes.

 KOVACS Krisztian

<Prev in Thread] Current Thread [Next in Thread>