Hi, On Monday 17 October 2005 16.08, Andrew Cant wrote: > I have done some quick searches, and reviewed the TPROXY > documentation but I have not found an answer to the question of > whether I should be using the TPROXY target for a simple transparent > proxy. (i.e., not listening on a foreign address and not reporting a > foreign address as a source) > > Currently, the system that I am working on is using the REDIRECT > targets to transparently catch port 80 traffic and redirect it > locally for either caching or authentication. Is there any benefit to > using the TPROXY target in this case? I have not been able to find > anything that explains what the differences between the two targets > would be in this simple case. No, you shouldn't. The TPROXY target differs from REDIRECT in the following aspects: * only works in the 'tproxy' table * saves the original destination address in the IPCB, so that the user-space proxy will be able to get this information using recvmsg() * sets a special status bit in the conntrack so the 'tproxy' match will match any packets belonging to that connection So, to sum it up, you probably don't want to use TPROXY instead of REDIRECT. (Especially if you redirect TCP traffic only, where the ip_conntrack provides a getsockopt() to get the original destination address.) -- Regards, Krisztian Kovacs
