Re: Tproxy4, fwmark and netfilter route_me_harder

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ming-Ching Tiew wrote:
I  sort of just forward this to netfilter-devel.
For those who in netfilter-devel but not in tproxy mail list, a little background here :- I discovered after applying the tproxy4 patch which allows one to spoof originating traffic with a foreign IP address ( for the purpose of doing transparent proxy ) that after doing it, traffics with foreign IP will not leave the system if there is a FWMARK in the mangle table OUTPUT chain. Any MARK will screw up the routing. And the patch above seems to be able to get the packets out of the machine
again.

So the motivation here perhaps someone here could throw some light as to how this situation is best handled.


IIRC the current TPROXY patches use a flag in the dst_entry
to indicate that the source address is non-local. So
ip_route_me_harder should probably check that flag and
use routing for foreign addresses for that case.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux