* Transparent proxy non-local bind conflict.
@ 2003-04-07 19:09 dmorris
0 siblings, 0 replies; only message in thread
From: dmorris @ 2003-04-07 19:09 UTC (permalink / raw)
To: netfilter-devel
Hello all,
I'm writing a transparent proxy app, which uses the non-local binding
patch and friends here:
http://www.neogenen.com/patches/netcap.kernel-2.5.66.040303.patch
Here's the typical setup:
[box A] <----------> [box T] <--------> [box B]
Here's a step by step play.
A makes a connection to B, which T uses redirect to direct to the
transparent proxy app.
T then gets the original (dest,port) and origal (src,port) binds the
socket to the original (src,port) and makes a connection to the original
(dst,port).
And here's the problem I'm having:
The second connection (t->b) fails. T sends a syn to B,
B replies with a syn/ack (to who it thinks is A, but is actually T)
but T rejects with a RST.
The reason for this, I suspect, is that there are two connections (a->t
and b->t) with the exact same 5-tuple (protocol, src, dst, src-port,
dst-port), and so ip_conntrack kills the second connection.
(I must have ip_conntrack to do the redirection)
So does anyone have any ideas how I can break ip_conntrack to handle
both connections, or perhaps ignore the second one?
thanks,
-dirk
--
//* */ dmorris (* www.neogenen.com *)
main(){int _=0;for(;_!=1687193639&&putchar(" \
dn\nc@oge.m"[abs(_%11)]);_=(_*42913)+115127);}
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-04-07 19:09 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-04-07 19:09 Transparent proxy non-local bind conflict dmorris
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.