Balazs Scheidler wrote:
On Fri, 2009-09-04 at 18:07 +1200, Amos Jeffries wrote:
Balazs Scheidler wrote:
[ Sorry if this reaches you twice, I sent to the wrong address the first time ]
I've just pushed a set of patches that implement TProxy for IPv6 to
http://git.balabit.hu/bazsi/tproxy-2.6.git
The patches are also posted in reply to this mail.
Although some work is still needed, basic testing shows that it works all
right.
The accompanying iptables patches are available at
http://git.balabit.hu/bazsi/iptables-tproxy.git
There are some things left to do:
* the recognition of related ICMPv6 packets missing (from xt_socket.c)
* I should probably split xt_TPROXY/xt_socket to IPv4 and IPv6 modules, as
right now those depend on both stacks at the same time.
I'm on a holiday right now, thus I might not respond to comments in a timely
manner, however I'm interested in any comments/feedback nevertheless.
Harry, I didn't remember that you actually wanted to work on TProxy for
IPv6, I just vaguely remembered that there was someone asking for IPv6
support, thus I implemented this without being in the know. If you started
hacking, I hope that we didn't completely duplicate effort. I'd appreciate
help in the missing bits and/or testing whichever fits you best.
Also, I have written a Python test script to test TProxy functionality
automatically both for IPv4 and IPv6, I can post that as well if anyone is
interested.
I'm interested :)
Now that you have done this I'm going to have to find a robust userland
run-time test to see if the underlying TPROXY is v4-only or v6-enabled.
If anyone has suggestions they would be welcome.
Thank you very much by the way.
The script I wrote is not a runtime test, it is a functional test that
tests various TPROXY scenarios for proper functionality.
It basically assumes that:
1) you run it on the 'client' host, and it has ssh connectivity to the
'tproxy' host
2) it assumes that IP/route configuration is already prepared
3) it uses hardwired IP addresses, but generates iptables/ip6tables
rules automatically
I used a virtual machine running on my development computer to do the
testing.
IPV6 topology:
dead:1::1/64 is the client
dead:1::2/64 is the proxy box
dead:2::1/64 is the server behind the proxy box
The script basically copies an agent script to the other box
(test-agent.py) and uses that to change iptables config/start listeners
as needed. Then initiates tcp/udp connections to the target host and
checks if the proper listener received the new connection or a bogus
one.
I'm not that responsive these days, but I'm glad to help.
Last but not least, here's the gitweb interface:
http://git.balabit.hu/?p=bazsi/tproxy-test.git;a=summary
and the git URL
git://git.balabit.hu/bazsi/tproxy-test.git
I thought is was something like that. Thanks.
This is going to be helpful testing the various distro packages to see
whats they have turned on/off. The newest FAQ for our users.
AYJ
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
