From: KOVACS Krisztian <hidden@sch.bme.hu>
To: David Miller <davem@davemloft.net>
Cc: Patrick McHardy <kaber@trash.net>, netdev@vger.kernel.org
Subject: [PATCH 00/14] Transparent Proxying Patches, Take 5
Date: Sat, 13 Oct 2007 19:28:57 +0200 [thread overview]
Message-ID: <20071013172857.22517.84760.stgit@nessa.odu> (raw)
Hi Dave,
This is the fifth round of transparent proxying patches following
recent discussion on netfilter-devel [1,2].
The aim of the patchset is to make non-locally bound sockets work both
for receiving and sending. The target is IPv4 TCP/UDP at the moment.
Speaking of the patches, there are two big parts:
* Output path (patches 1-6): these modifications make it possible to
send IPv4 datagrams with non-local source IP address by:
- Introducing a new flowi flag (FLOWI_FLAG_ANYSRC) which disables
source address checking in ip_route_output_slow(). This is
also necessary for some of the tricks LVS does. [3]
- Adding the IP_TRANSPARENT socket option (setting this requires
CAP_NET_ADMIN to prevent source address spoofing).
- Gluing these together across the TCP/UDP code.
* Input path (patches 7-13): these changes add redirection support
for TCP along with an iptables target implementing NAT-less traffic
interception, and an iptables match to make ahead-of-time socket
lookups on PREROUTING. These combined with a set of iptables rules
and policy routing make non-locally bound sockets work.
- Netfilter IPv4 defragmentation is split into a separate
module. It's not particularly pretty but I see no other way of
making sure the 'socket' match gets no fragmented IPv4 packets.
- The 'socket' iptables match does a socket lookup on the
destination address and matches if a socket was found.
- The 'TPROXY' iptables target provides a way to intercept traffic
without NAT -- it does an ahead-of-time socket lookup on the
configured address and caches the socket reference in the skb.
- IPv4 TCP and UDP input path is modified to use this stored socket
reference if it's present.
The last patch adds a short intro on how to use it. A trivial patch
for netcat demonstrating the necessary modifications for proxies is
available separately at [4].
References:
[1] http://marc.info/?l=netfilter-devel&m=119118672703285&w=2
[2] http://marc.info/?l=netfilter-devel&m=119135774918622&w=2
[3] http://marc.info/?l=linux-netdev&m=118065358510836&w=2
[4] http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch
--
KOVACS Krisztian
next reply other threads:[~2007-10-13 18:39 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-13 17:28 KOVACS Krisztian [this message]
2007-10-13 17:29 ` [PATCH 01/14] Loosen source address check on IPv4 output KOVACS Krisztian
2007-10-13 17:29 ` [PATCH 02/14] Implement IP_TRANSPARENT socket option KOVACS Krisztian
2007-10-13 17:30 ` [PATCH 03/14] Allow binding to non-local addresses if IP_TRANSPARENT is set KOVACS Krisztian
2007-10-13 17:31 ` [PATCH 04/14] Conditionally enable transparent flow flag when connecting KOVACS Krisztian
2007-10-13 17:31 ` [PATCH 05/14] Handle TCP SYN+ACK/ACK/RST transparency KOVACS Krisztian
2007-10-13 17:32 ` [PATCH 06/14] Port redirection support for TCP KOVACS Krisztian
2007-10-13 17:32 ` [PATCH 07/14] Export UDP socket lookup function KOVACS Krisztian
2007-10-13 17:33 ` [PATCH 08/14] Split Netfilter IPv4 defragmentation into a separate module KOVACS Krisztian
2007-10-13 17:33 ` [PATCH 09/14] iptables tproxy core KOVACS Krisztian
2007-10-13 17:34 ` [PATCH 10/14] iptables socket match KOVACS Krisztian
2007-10-13 17:34 ` [PATCH 11/14] iptables TPROXY target KOVACS Krisztian
2007-10-13 17:35 ` [PATCH 12/14] Don't lookup the socket if there's a socket attached to the skb KOVACS Krisztian
2007-10-13 17:35 ` [PATCH 13/14] " KOVACS Krisztian
2007-10-13 17:36 ` [PATCH 14/14] Add documentation KOVACS Krisztian
2007-10-13 22:44 ` [PATCH 00/14] Transparent Proxying Patches, Take 5 David Miller
2007-10-14 9:05 ` KOVACS Krisztian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071013172857.22517.84760.stgit@nessa.odu \
--to=hidden@sch.bme.hu \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.