From: KOVACS Krisztian <hidden@sch.bme.hu>
To: Jambunathan Kalyanasundaram <k_jambunathan@yahoo.co.uk>
Cc: Henrik Nordstrom <hno@marasystems.com>,
netfilter-devel@lists.netfilter.org, netdev@oss.sgi.com
Subject: Re: TProxy, 2.4 Kernel and NetFilter
Date: Wed, 11 Feb 2004 20:58:38 +0100 [thread overview]
Message-ID: <20040211195838.GA11552@sch.bme.hu> (raw)
Hi,
On Wed, Feb 11, 2004 at 08:49:33AM +0100, Henrik Nordstrom wrote:
> > 2) But if I am not really interested in the overheads
> > imposed by the NetFilter, the only option is to patch
> > the Linux kernel with Balazs Scheidler's patch.
>
> Not sure this has less overhead.
I'm sure it hasn't. TProxy was never intended to be a "faster redirect",
or something like that. If you do not care about almost full transparent
proxying, you don't need TProxy at all.
The TProxy patch can be used to make the proxy transparent from both
sides: the client sends the packets to the server's IP, and the server
sees packets coming from the client's IP. However, this needs user-space
support in the proxy itself. And Gianni Tedesco's latest TProxy support
patch for Squid is known to be broken...
> > If I don't like something as heavyweight as Netfilter
> > and something that is as "non standard" as patching
> > the kernel, are there any ways out ?
>
> Yes, by configuring the client to use the proxy.
Completely true. This is _the_ way to go if you can set all clients to
use the proxy.
> If it is a normal Internet proxy environment where the number of clients
> are limited, and the proxy supports per-user selection of the outgoing
> address (Squid does) then it is possible with the help of NAT.
>
> 1. Set up as many IP aliases on the proxy server as you have clients. Use
> one of the unassigned networks.
>
> 2. Configure the proxy to use one IP alias per client IP address.
>
> 3. Configure iptables NAT rules in OUTPUT to NAT these IP aliases back to
> the client IP address.
Hmm... What a solution! :)
> If it is a reverse proxy or other environment where the client addresses
> are not limited then this obviously can not be done and you must use the
> tproxy patch.
As I wrote, the patch for Squid would need some fixes before actually
using it... Unfortunately I don't know enough about Squid to be able to
make those fixes.
--
KOVACS Krisztian
next reply other threads:[~2004-02-11 19:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-02-11 19:58 KOVACS Krisztian [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-02-09 7:56 TProxy, 2.4 Kernel and NetFilter Jambunathan Kalyanasundaram
2004-02-11 7:49 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040211195838.GA11552@sch.bme.hu \
--to=hidden@sch.bme.hu \
--cc=hno@marasystems.com \
--cc=k_jambunathan@yahoo.co.uk \
--cc=netdev@oss.sgi.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).