Hi everyone,
I'm new to iptables and recently met a problem when trying to get
original IP address with getsockopt.
I'm using iptables 1.3.3. Here's the rule:
iptables -t nat -A OUTPUT -m owner --uid-owner <my_user_name> -p tcp
-d 10.0.0.0/8 -j REDIRECT --to-port 9000
It will redirect all tcp packages to my proxy process listening on
9000 port. And my proxy will handles the real connection with out
world.
Here's my code snippet of my proxy app to get the original destination address:
struct sockaddr_in addr;
socklen_t addr_sz = sizeof(addr);
bzero(reinterpret_cast<char*>(
&addr), addr_sz);
addr.sin_family = AF_INET;
if (getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, &addr, &addr_sz) != 0) {
int err = errno;
LOG << "Couldn't read SO_ORIGINAL_DST from socket " << fd
<< " Detail: " << strerror(err);
return false;
}
For most connections this works well. But it randomly gives ENOENT
error: "No such file or directory"... I totally don't know why this
happens. Could anyone enlighten me?
Thanks in advance!
--
Best Regards!
王凯 Kai Wang
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
