Hi Patrick,
we extended a missing feature of the socket match that it can check the
'transparent' member of the socket's structure. The original behaviour
was that all of the sockets matched if they weren't listening on the
0.0.0.0 IP address, even if they were unrelated to the TProxy, such as
ssh or other servers.
The IP_TRANSPARENT socket option is always set for the sockets using the
TProxy, thus the following patch lets matching only these:
iptables ... -m socket --transparent ...
When I tested the new option, I found that NETFILTER_TPROXY depends on
NF_CONNTRACK, which is unwanted, it works without it.
--
Panther
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
