* TPROXY vs REDIRECT
@ 2005-10-17 14:08 Andrew Cant
0 siblings, 0 replies; 2+ messages in thread
From: Andrew Cant @ 2005-10-17 14:08 UTC (permalink / raw)
To: netfilter
I have done some quick searches, and reviewed the TPROXY documentation but I
have not found an answer to the question of whether I should be using the
TPROXY target for a simple transparent proxy. (i.e., not listening on a
foreign address and not reporting a foreign address as a source)
Currently, the system that I am working on is using the REDIRECT targets to
transparently catch port 80 traffic and redirect it locally for either
caching or authentication. Is there any benefit to using the TPROXY target
in this case? I have not been able to find anything that explains what the
differences between the two targets would be in this simple case.
Thanks
Andrew
-----------------------------------
Andrew Cant
Developer
LogiSense Corporation
"IP Billing and Traffic Management"
e: acant@logisense.com
p: 1-519-249-0508 x4108
w: www.logisense.com
weblog: http://blog.logisense.com
forum: https://ssl.logisense.com/support/forum
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: TPROXY vs REDIRECT
[not found] <20051017140908.B73ED4C11C@lists.balabit.hu>
@ 2005-10-17 14:32 ` KOVACS Krisztian
0 siblings, 0 replies; 2+ messages in thread
From: KOVACS Krisztian @ 2005-10-17 14:32 UTC (permalink / raw)
To: netfilter
Hi,
On Monday 17 October 2005 16.08, Andrew Cant wrote:
> I have done some quick searches, and reviewed the TPROXY
> documentation but I have not found an answer to the question of
> whether I should be using the TPROXY target for a simple transparent
> proxy. (i.e., not listening on a foreign address and not reporting a
> foreign address as a source)
>
> Currently, the system that I am working on is using the REDIRECT
> targets to transparently catch port 80 traffic and redirect it
> locally for either caching or authentication. Is there any benefit to
> using the TPROXY target in this case? I have not been able to find
> anything that explains what the differences between the two targets
> would be in this simple case.
No, you shouldn't. The TPROXY target differs from REDIRECT in the
following aspects:
* only works in the 'tproxy' table
* saves the original destination address in the IPCB, so that the
user-space proxy will be able to get this information using recvmsg()
* sets a special status bit in the conntrack so the 'tproxy' match will
match any packets belonging to that connection
So, to sum it up, you probably don't want to use TPROXY instead of
REDIRECT. (Especially if you redirect TCP traffic only, where the
ip_conntrack provides a getsockopt() to get the original destination
address.)
--
Regards,
Krisztian Kovacs
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-10-17 14:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20051017140908.B73ED4C11C@lists.balabit.hu>
2005-10-17 14:32 ` TPROXY vs REDIRECT KOVACS Krisztian
2005-10-17 14:08 Andrew Cant
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.