On Wednesday 2008-10-01 10:24, KOVACS Krisztian wrote: >+Transparent proxy support >+========================= >+ >+This feature adds Linux 2.2-like transparent proxy support to current kernels. >+To use it, enable NETFILTER_TPROXY, the socket match and the TPROXY target in >+your kernel config. You will need policy routing too, so be sure to enable that >+as well. To use server-side transparent proxying (i.e. using a foreign address when sending out packets), only tproxy_core is needed. >+fd = socket(AF_INET, SOCK_STREAM, 0); You want to be using IPPROTO_TCP here, as I doubt there is a guarantee that 0 will never choose SCTP. >+int value = 1; Const is good: static const unsigned int value = 1; >+setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value)); >+/* - 8< -*/ >+name.sin_family = AF_INET; >+name.sin_port = htons(0xCAFE); >+name.sin_addr.s_addr = htonl(0xDEADBEEF); Replace last one by inet_pton(PF_INET, "192.0.2.37", &name.sin_addr); (Hacking anything inside sin_addr is, strictly speaking, breaking the “encapsulation”, as far as that “exists” in C.) >+bind(fd, &name, sizeof(name)); You will need bind(fd, (const void *)&name, sizeof(name)); to avoid a compiler warning ;-) >+2. Redirecting traffic >+====================== >+ >+Transparent proxying often involves "intercepting" traffic on a router. This is >+usually done with the iptables REDIRECT target, however, there are serious >+limitations of that method. One of the major issues is that it actually >+modifies the packets to change the destination address -- which might not be >+acceptable in certain situations. (Think of proxying UDP for example: you won't >+be able to find out the original destination address. Even in case of TCP >+getting the original destination address is racy.) IIRC, you _can_ find out, though I agree it's rather a hack (with tproxy, you can just use the address as received via recvmsg): getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, &sockaddr, &sizeptr); -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
