Request: including tproxy patch to official iptables/kernel.

Request: including tproxy patch to official iptables/kernel.

[Yoshioka Tsuneo]

Hello netfilter developers

There is tproxy patch for netfilter(iptables).
tproxy enables application to set source IP address.
I think that only tproxy patch can enable transparent proxy keeping
source IP addresses.

And, until now, tproxy is developed and is used for long term, and seems
stable to include official iptables/kernel release. There is also a patch
for latest kernel.

So, I would like to suggest to include tproxy patch to official
iptables/kernel release.
Can you think about including this patch to official iptables/kernel
release, if possible ?

   TPROXY
       http://www.balabit.com/products/oss/tproxy/

   patch-o-matic extra repository
     tproxy - iptables TPROXY target
       http://www.iptables.org/projects/patch-o-matic/pom-extra.html#pom-extra-tproxy


Thank you !

-- 
Nihon F-Secure Corporation
(Yoshioka Tsuneo)
E-MAIL: Tsuneo.Yoshioka@f-secure.com

Re: Request: including tproxy patch to official iptables/kernel.

[Patrick McHardy]

Yoshioka Tsuneo wrote:
> Hello netfilter developers
> 
> There is tproxy patch for netfilter(iptables).
> tproxy enables application to set source IP address.
> I think that only tproxy patch can enable transparent proxy keeping
> source IP addresses.
> 
> And, until now, tproxy is developed and is used for long term, and seems
> stable to include official iptables/kernel release. There is also a patch
> for latest kernel.
> 
> So, I would like to suggest to include tproxy patch to official
> iptables/kernel release.
> Can you think about including this patch to official iptables/kernel
> release, if possible ?
> 
>    TPROXY
>        http://www.balabit.com/products/oss/tproxy/
> 
>    patch-o-matic extra repository
>      tproxy - iptables TPROXY target
>        http://www.iptables.org/projects/patch-o-matic/pom-extra.html#pom-extra-tproxy


These look quite old (2.4). The TPROXY developers were working on
a new approach last year at the netfilter workshop, but I don't
know if there was any further progress. Please talk to them directly
and ask them if they want to merge it upstream, and if so to submit
patches.

Re: Request: including tproxy patch to official iptables/kernel.

[Yoshioka Tsuneo]

Hello Patrick McHardy

Thank you for your reply !

> > So, I would like to suggest to include tproxy patch to official
> > iptables/kernel release.
> > Can you think about including this patch to official iptables/kernel
> > release, if possible ?
> > 
> >    TPROXY
> >        http://www.balabit.com/products/oss/tproxy/
> > 
> >    patch-o-matic extra repository
> >      tproxy - iptables TPROXY target
> >        http://www.iptables.org/projects/patch-o-matic/pom-extra.html#pom-extra-tproxy
> 
> 
> These look quite old (2.4). The TPROXY developers were working on
> a new approach last year at the netfilter workshop, but I don't
> know if there was any further progress. Please talk to them directly
> and ask them if they want to merge it upstream, and if so to submit
> patches.
Both patch for kernel2.4 and 2.6 is available on the following URL.
  http://www.balabit.com/downloads/tproxy/linux-2.4/

Now, following packages are available as the latest version.
	cttproxy-2.4.32-2.0.5.tar.gz File 70.47k 09/12/2006 
	cttproxy-2.4.33-2.0.5.tar.gz File 70.29k 09/12/2006 
	cttproxy-2.6.16-2.0.5.tar.gz File 55.49k 09/12/2006 
	cttproxy-2.6.17-2.0.5.tar.gz File 55.64k 09/12/2006 
	cttproxy-2.6.18-2.0.5.tar.gz File 55.58k 09/12/2006 

Is there any other thing I or the patch developer can do ?
I would appreciate it if you can merge these patches to the official
iptables/release. How about it ?

Thank you !

-- 
Nihon F-Secure Corporation
(Yoshioka Tsuneo)
E-MAIL: Tsuneo.Yoshioka@f-secure.com

Re: Request: including tproxy patch to official iptables/kernel.

[Patrick McHardy]

Yoshioka Tsuneo wrote:

> I would appreciate it if you can merge these patches to the official
> iptables/release. How about it ?

Again, please talk to the TPROXY developers and ask them to
submit patches in case they want to merge it.

Re: Request: including tproxy patch to official iptables/kernel.

[KOVACS Krisztian]

  Hi,

On Monday 16 October 2006 07:48, Patrick McHardy wrote:
> > So, I would like to suggest to include tproxy patch to official
> > iptables/kernel release.
>
> These look quite old (2.4). The TPROXY developers were working on
> a new approach last year at the netfilter workshop, but I don't
> know if there was any further progress. Please talk to them directly
> and ask them if they want to merge it upstream, and if so to submit
> patches.

  Yes, there was significant progress since then, we're testing the 
patches at the moment. There still are a couple of problems with the new 
approach, but it certainly looks promising. I'll post the patches on 
netfilter-devel for review and comments as soon as things have settled 
down a bit.

  Instead of trying to get the 2.0 branch of tproxy merged into mainline 
we're concentrating our efforts on getting the new code working. As the 
maintainer of the current tproxy patchset, I do not consider it clean and 
safe enough to have it merged upstream.

  Moreover, I think there's no general consensus between networking 
maintainers whether or not the features tproxy provides are worth the 
hassles. Transparent proxying features have been removed during the 2.3 
development as there seemed little interest in those. Of course there are 
a handful of companies interested in having the feature in mainline, but 
let's face the facts: the majority of users do not care about tproxy. 
That's why I don't even try to get it merged.

-- 
 Regards,
  Krisztian Kovacs

Re: [tproxy] Re: Request: including tproxy patch to official iptables/kernel.

[Lennert Buytenhek]

On Tue, Oct 17, 2006 at 04:38:24PM +0200, KOVACS Krisztian wrote:

>   Moreover, I think there's no general consensus between networking 
> maintainers whether or not the features tproxy provides are worth the 
> hassles. Transparent proxying features have been removed during the 2.3 
> development as there seemed little interest in those. Of course there are 
> a handful of companies interested in having the feature in mainline, but 
> let's face the facts: the majority of users do not care about tproxy. 

There's other features and drivers in Linux where a similar thing
applies.  If tproxy doesn't get into the way when it's not used or
turned off, why shouldn't it be merged?


cheers,
Lennert

Re: [tproxy] Re: Request: including tproxy patch to official iptables/kernel.

[Patrick McHardy]

Lennert Buytenhek wrote:
> On Tue, Oct 17, 2006 at 04:38:24PM +0200, KOVACS Krisztian wrote:
> 
> 
>>  Moreover, I think there's no general consensus between networking 
>>maintainers whether or not the features tproxy provides are worth the 
>>hassles. Transparent proxying features have been removed during the 2.3 
>>development as there seemed little interest in those. Of course there are 
>>a handful of companies interested in having the feature in mainline, but 
>>let's face the facts: the majority of users do not care about tproxy. 
> 
> 
> There's other features and drivers in Linux where a similar thing
> applies.  If tproxy doesn't get into the way when it's not used or
> turned off, why shouldn't it be merged?

Thats exactly what I was going to say :)

Re: [tproxy] Re: Request: including tproxy patch to official iptables/kernel.

[Yoshioka Tsuneo]

Hello KOVACS Krisztian

>   Yes, there was significant progress since then, we're testing the 
> patches at the moment. There still are a couple of problems with the new 
> approach, but it certainly looks promising. I'll post the patches on 
> netfilter-devel for review and comments as soon as things have settled 
> down a bit.
Thank you for your planning to new tproxy version. I'm looking forward
to the new version !

>   Moreover, I think there's no general consensus between networking 
> maintainers whether or not the features tproxy provides are worth the 
> hassles. Transparent proxying features have been removed during the 2.3 
> development as there seemed little interest in those. Of course there are 
> a handful of companies interested in having the feature in mainline, but 
> let's face the facts: the majority of users do not care about tproxy. 
> That's why I don't even try to get it merged.
I think that this is not so minor request.
At long as I heard, most of transparent-proxy user want to keep source
IP address, if possible.
Changing source IP address prevent IP address based access control or
make it difficult to analize log files, or tracing.
Some of appliance server can keep source IP addresses, but I think that it
is better that normal kernel user can use this feature without difficulty,
too.

Thank you !

-- 
Nihon F-Secure Corporation
(Yoshioka Tsuneo)
E-MAIL: Tsuneo.Yoshioka@f-secure.com

> 
>   Hi,
> 
> On Monday 16 October 2006 07:48, Patrick McHardy wrote:
> > > So, I would like to suggest to include tproxy patch to official
> > > iptables/kernel release.
> >
> > These look quite old (2.4). The TPROXY developers were working on
> > a new approach last year at the netfilter workshop, but I don't
> > know if there was any further progress. Please talk to them directly
> > and ask them if they want to merge it upstream, and if so to submit
> > patches.
> 
>   Yes, there was significant progress since then, we're testing the 
> patches at the moment. There still are a couple of problems with the new 
> approach, but it certainly looks promising. I'll post the patches on 
> netfilter-devel for review and comments as soon as things have settled 
> down a bit.
> 
>   Instead of trying to get the 2.0 branch of tproxy merged into mainline 
> we're concentrating our efforts on getting the new code working. As the 
> maintainer of the current tproxy patchset, I do not consider it clean and 
> safe enough to have it merged upstream.
> 
>   Moreover, I think there's no general consensus between networking 
> maintainers whether or not the features tproxy provides are worth the 
> hassles. Transparent proxying features have been removed during the 2.3 
> development as there seemed little interest in those. Of course there are 
> a handful of companies interested in having the feature in mainline, but 
> let's face the facts: the majority of users do not care about tproxy. 
> That's why I don't even try to get it merged.
> 
> -- 
>  Regards,
>   Krisztian Kovacs
> _______________________________________________
> tproxy mailing list
> tproxy@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy

Re: Request: including tproxy patch to official iptables/kernel.

[Patrick McHardy]

KOVACS Krisztian wrote:
>   Yes, there was significant progress since then, we're testing the 
> patches at the moment. There still are a couple of problems with the new 
> approach, but it certainly looks promising. I'll post the patches on 
> netfilter-devel for review and comments as soon as things have settled 
> down a bit.

Great.

>   Instead of trying to get the 2.0 branch of tproxy merged into mainline 
> we're concentrating our efforts on getting the new code working. As the 
> maintainer of the current tproxy patchset, I do not consider it clean and 
> safe enough to have it merged upstream.

Yes, the old patches are a bit risky I think. But the new approach
(in case its still the same) looked like a nice way.

>   Moreover, I think there's no general consensus between networking 
> maintainers whether or not the features tproxy provides are worth the 
> hassles. Transparent proxying features have been removed during the 2.3 
> development as there seemed little interest in those. Of course there are 
> a handful of companies interested in having the feature in mainline, but 
> let's face the facts: the majority of users do not care about tproxy. 
> That's why I don't even try to get it merged.

I have no problem with that if it doesn't affect users not using it.