On Fri, 2009-09-04 at 18:07 +1200, Amos Jeffries wrote: > Balazs Scheidler wrote: > > [ Sorry if this reaches you twice, I sent to the wrong address the first time ] > > > > I've just pushed a set of patches that implement TProxy for IPv6 to > > > > http://git.balabit.hu/bazsi/tproxy-2.6.git > > > > The patches are also posted in reply to this mail. > > > > Although some work is still needed, basic testing shows that it works all > > right. > > > > The accompanying iptables patches are available at > > > > http://git.balabit.hu/bazsi/iptables-tproxy.git > > > > There are some things left to do: > > > > * the recognition of related ICMPv6 packets missing (from xt_socket.c) > > > > * I should probably split xt_TPROXY/xt_socket to IPv4 and IPv6 modules, as > > right now those depend on both stacks at the same time. > > > > I'm on a holiday right now, thus I might not respond to comments in a timely > > manner, however I'm interested in any comments/feedback nevertheless. > > > > Harry, I didn't remember that you actually wanted to work on TProxy for > > IPv6, I just vaguely remembered that there was someone asking for IPv6 > > support, thus I implemented this without being in the know. If you started > > hacking, I hope that we didn't completely duplicate effort. I'd appreciate > > help in the missing bits and/or testing whichever fits you best. > > > > Also, I have written a Python test script to test TProxy functionality > > automatically both for IPv4 and IPv6, I can post that as well if anyone is > > interested. > > I'm interested :) > > Now that you have done this I'm going to have to find a robust userland > run-time test to see if the underlying TPROXY is v4-only or v6-enabled. > If anyone has suggestions they would be welcome. > > Thank you very much by the way. The script I wrote is not a runtime test, it is a functional test that tests various TPROXY scenarios for proper functionality. It basically assumes that: 1) you run it on the 'client' host, and it has ssh connectivity to the 'tproxy' host 2) it assumes that IP/route configuration is already prepared 3) it uses hardwired IP addresses, but generates iptables/ip6tables rules automatically I used a virtual machine running on my development computer to do the testing. IPV6 topology: dead:1::1/64 is the client dead:1::2/64 is the proxy box dead:2::1/64 is the server behind the proxy box The script basically copies an agent script to the other box (test-agent.py) and uses that to change iptables config/start listeners as needed. Then initiates tcp/udp connections to the target host and checks if the proper listener received the new connection or a bogus one. I'm not that responsive these days, but I'm glad to help. Last but not least, here's the gitweb interface: http://git.balabit.hu/?p=bazsi/tproxy-test.git;a=summary and the git URL git://git.balabit.hu/bazsi/tproxy-test.git -- Bazsi -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
