Re: TPROXY vs REDIRECT - KOVACS Krisztian

All of lore.kernel.org
 help / color / mirror / Atom feed

From: KOVACS Krisztian <hidden@balabit.hu>
To: netfilter@lists.netfilter.org
Subject: Re: TPROXY vs REDIRECT
Date: Mon, 17 Oct 2005 16:32:49 +0200	[thread overview]
Message-ID: <200510171632.49254@nienna> (raw)
In-Reply-To: <20051017140908.B73ED4C11C@lists.balabit.hu>


  Hi,

On Monday 17 October 2005 16.08, Andrew Cant wrote:
> I have done some quick searches, and reviewed the TPROXY
> documentation but I have not found an answer to the question of
> whether I should be using the TPROXY target for a simple transparent
> proxy. (i.e., not listening on a foreign address and not reporting a
> foreign address as a source)
>
> Currently, the system that I am working on is using the REDIRECT
> targets to transparently catch port 80 traffic and redirect it
> locally for either caching or authentication. Is there any benefit to
> using the TPROXY target in this case? I have not been able to find
> anything that explains what the differences between the two targets
> would be in this simple case.

  No, you shouldn't. The TPROXY target differs from REDIRECT in the 
following aspects:

* only works in the 'tproxy' table
* saves the original destination address in the IPCB, so that the 
user-space proxy will be able to get this information using recvmsg()
* sets a special status bit in the conntrack so the 'tproxy' match will 
match any packets belonging to that connection

  So, to sum it up, you probably don't want to use TPROXY instead of 
REDIRECT. (Especially if you redirect TCP traffic only, where the 
ip_conntrack provides a getsockopt() to get the original destination 
address.)

-- 
 Regards,
  Krisztian Kovacs

next      parent reply	other threads:[~2005-10-17 14:32 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20051017140908.B73ED4C11C@lists.balabit.hu>
2005-10-17 14:32 ` KOVACS Krisztian [this message]
2005-10-17 14:08 TPROXY vs REDIRECT Andrew Cant

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200510171632.49254@nienna \
    --to=hidden@balabit.hu \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.