Jan Engelhardt wrote: >> +2. Redirecting traffic >> +====================== >> + >> +Transparent proxying often involves "intercepting" traffic on a router. This is >> +usually done with the iptables REDIRECT target, however, there are serious >> +limitations of that method. One of the major issues is that it actually >> +modifies the packets to change the destination address -- which might not be >> +acceptable in certain situations. (Think of proxying UDP for example: you won't >> +be able to find out the original destination address. Even in case of TCP >> +getting the original destination address is racy.) > > IIRC, you _can_ find out, though I agree it's rather a hack (with > tproxy, you can just use the address as received via recvmsg): > > getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, &sockaddr, &sizeptr); Yes, but the problem is that SO_ORIGINAL_DST is only implemented for TCP. And I guess that the race for TCP is that the conntrack may not exist when you call getsockopt() (not sure that is something you'll hit in practice though). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
