From: KOVACS Krisztian <hidden@sch.bme.hu>
To: David Miller <davem@davemloft.net>
Cc: Patrick McHardy <kaber@trash.net>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: [net-next PATCH 00/16] Transparent proxying patches, take six
Date: Wed, 01 Oct 2008 16:24:31 +0200 [thread overview]
Message-ID: <20081001142431.4893.48078.stgit@este> (raw)
Hi Dave,
This is the sixth round of transparent proxying patches recently
discussed on the Netfilter Workshop. Since the last incarnation [1]
we've added support for related ICMP packets in the socket
match. Should apply cleanly on top of net-next-2.6. Could you please
apply patches 1-11 (those touching core networking parts) and I'll ask
Patrick McHardy to take care of patches 12-16 (the Netfilter parts).
The aim of the patchset is to make non-locally bound sockets work both
for receiving and sending. The target is IPv4 TCP/UDP at the moment.
Speaking of the patches, there are two big parts:
* Output path (patches 1-7): these modifications make it possible to
send IPv4 datagrams with non-local source IP address by:
- Introducing a new flowi flag (FLOWI_FLAG_ANYSRC) which disables
source address checking in ip_route_output_slow(). This is
also necessary for some of the tricks LVS does. [2]
- Adding the IP_TRANSPARENT socket option (setting this requires
CAP_NET_ADMIN to prevent source address spoofing).
- Gluing these together across the TCP/UDP code.
* Input path (patches 8-15): these changes add redirection support
for TCP along with an iptables target implementing NAT-less traffic
interception, and an iptables match to make ahead-of-time socket
lookups on PREROUTING. These combined with a set of iptables rules
and policy routing make non-locally bound sockets work.
- IPv4 TCP and UDP input path is modified to use this stored socket
reference if it's present.
- Netfilter IPv4 defragmentation is split into a separate
module. (This could make sense independently of tproxy and
conntrack, for example to have a stateless firewall which still
does fragment reassembly.)
- The 'socket' iptables match does a socket lookup on the
destination address and matches if a socket was found.
- The 'TPROXY' iptables target provides a way to intercept traffic
without NAT -- it does an ahead-of-time socket lookup on the
configured address and caches the socket reference in the skb.
The last patch adds a short intro on how to use it. A trivial patch
for netcat demonstrating the necessary modifications for proxies is
available separately at [3]. Squid has support for it in the 3.HEAD
(3.1) branch.
References:
[1] http://lwn.net/Articles/254527/
[2] http://marc.info/?l=linux-netdev&m=118065358510836&...
[3] http://people.netfilter.org/hidden/tproxy/netcat-ip_trans...
--
KOVACS Krisztian
next reply other threads:[~2008-10-01 14:24 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-01 14:24 KOVACS Krisztian [this message]
2008-10-01 14:24 ` [net-next PATCH 09/16] Export UDP socket lookup function KOVACS Krisztian
2008-10-01 14:48 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 06/16] Handle TCP SYN+ACK/ACK/RST transparency KOVACS Krisztian
2008-10-01 14:42 ` David Miller
2008-10-01 14:46 ` KOVACS Krisztian
2008-10-01 14:24 ` [net-next PATCH 05/16] Conditionally enable transparent flow flag when connecting KOVACS Krisztian
2008-10-01 14:36 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 01/16] Loosen source address check on IPv4 output KOVACS Krisztian
2008-10-01 14:28 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 08/16] Port redirection support for TCP KOVACS Krisztian
2008-10-01 14:47 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 04/16] Make inet_sock.h independent of route.h KOVACS Krisztian
2008-10-01 14:34 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 16/16] Add documentation KOVACS Krisztian
2008-10-01 16:22 ` Randy Dunlap
2008-10-02 9:37 ` [RESEND net-next " KOVACS Krisztian
2008-10-02 9:38 ` Patrick McHardy
2008-10-03 14:01 ` [net-next " Jan Engelhardt
2008-10-07 7:01 ` KOVACS Krisztian
2008-10-07 13:25 ` [patch] Update tproxy documentation Jan Engelhardt
2008-10-07 19:50 ` [net-next PATCH 16/16] Add documentation David Miller
2008-10-07 20:02 ` KOVACS Krisztian
2008-10-07 20:47 ` Patrick McHardy
2008-10-07 20:53 ` David Miller
2008-10-08 0:32 ` Philip Craig
2008-10-01 14:24 ` [net-next PATCH 13/16] iptables tproxy core KOVACS Krisztian
2008-10-02 9:19 ` Patrick McHardy
2008-10-01 14:24 ` [net-next PATCH 14/16] iptables socket match KOVACS Krisztian
2008-10-02 9:26 ` Patrick McHardy
2008-10-02 10:26 ` KOVACS Krisztian
2008-10-02 10:35 ` Patrick McHardy
2008-10-03 14:04 ` Jan Engelhardt
2008-10-01 14:24 ` [net-next PATCH 11/16] Don't lookup the socket if there's a socket attached to the skb KOVACS Krisztian
2008-10-01 14:24 ` [net-next PATCH 02/16] Implement IP_TRANSPARENT socket option KOVACS Krisztian
2008-10-01 14:30 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 12/16] Split Netfilter IPv4 defragmentation into a separate module KOVACS Krisztian
2008-10-02 9:18 ` Patrick McHardy
2008-10-01 14:24 ` [net-next PATCH 10/16] Don't lookup the socket if there's a socket attached to the skb KOVACS Krisztian
2008-10-01 14:50 ` David Miller
2008-10-01 15:38 ` KOVACS Krisztian
2008-10-01 15:51 ` David Miller
2008-10-02 15:43 ` KOVACS Krisztian
2008-10-02 17:09 ` Arnaldo Carvalho de Melo
2008-10-02 19:58 ` David Miller
2008-10-03 8:57 ` KOVACS Krisztian
2008-10-03 13:47 ` Arnaldo Carvalho de Melo
2008-10-07 7:36 ` KOVACS Krisztian
2008-10-07 12:36 ` Arnaldo Carvalho de Melo
2008-10-07 18:42 ` David Miller
2008-10-07 7:42 ` [net-next PATCH] Add udplib_lookup_skb() helpers (was: [net-next PATCH 10/16] Don't lookup the socket if there's a socket attached to the skb) KOVACS Krisztian
2008-10-07 12:34 ` Arnaldo Carvalho de Melo
2008-10-07 19:39 ` [net-next PATCH] Add udplib_lookup_skb() helpers David Miller
2008-10-07 7:59 ` [net-next PATCH] Don't lookup the socket if there's a socket attached to the skb (was: Re: [net-next PATCH 10/16] Don't lookup the socket if there's a socket attached to the skb) KOVACS Krisztian
2008-10-07 12:36 ` Arnaldo Carvalho de Melo
2008-10-07 19:41 ` [net-next PATCH] Don't lookup the socket if there's a socket attached to the skb David Miller
2008-10-01 14:24 ` [net-next PATCH 07/16] Make Netfilter's ip_route_me_harder() non-local address compatible KOVACS Krisztian
2008-10-01 14:45 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 03/16] Allow binding to non-local addresses if IP_TRANSPARENT is set KOVACS Krisztian
2008-10-01 14:31 ` David Miller
2008-10-01 14:24 ` [net-next PATCH 15/16] iptables TPROXY target KOVACS Krisztian
2008-10-02 9:28 ` Patrick McHardy
2008-10-02 13:20 ` [net-next PATCH 00/16] Transparent proxying patches, take six Amos Jeffries
2008-10-02 15:38 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081001142431.4893.48078.stgit@este \
--to=hidden@sch.bme.hu \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.