From: KOVACS Krisztian <hidden@sch.bme.hu>
To: David Miller <davem@davemloft.net>
Cc: Patrick McHardy <kaber@trash.net>, netdev@vger.kernel.org
Subject: [PATCH 14/14] Add documentation
Date: Sat, 13 Oct 2007 19:36:11 +0200 [thread overview]
Message-ID: <20071013173611.22517.58118.stgit@nessa.odu> (raw)
In-Reply-To: <20071013172857.22517.84760.stgit@nessa.odu>
Add basic usage instructions to Documentation/networking.
Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
---
Documentation/networking/tproxy.txt | 62 +++++++++++++++++++++++++++++++++++
1 files changed, 62 insertions(+), 0 deletions(-)
diff --git a/Documentation/networking/tproxy.txt b/Documentation/networking/tproxy.txt
new file mode 100644
index 0000000..dfcb613
--- /dev/null
+++ b/Documentation/networking/tproxy.txt
@@ -0,0 +1,62 @@
+Transparent proxy support
+=========================
+
+This feature adds Linux 2.2-like transparent proxy support to current kernels.
+To use it, enable NETFILTER_TPROXY, the socket match and the TPROXY target in
+your kernel config. You will need policy routing too, so be sure to enable that
+as well.
+
+1. Making non-local sockets work
+================================
+
+The idea is that you identify packets with destination address matching a local
+socket your box, set the packet mark to a certain value, and then match on that
+value using policy routing to have those packets delivered locally:
+
+# iptables -t mangle -N DIVERT
+# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
+# iptables -t mangle -A DIVERT -j MARK --set-mark 1
+# iptables -t mangle -A DIVERT -j ACCEPT
+
+# ip rule add fwmark 1 lookup 100
+# ip route add local 0.0.0.0/0 dev lo table 100
+
+Because of certain restrictions in the IPv4 routing output code you'll have to
+modify your application to allow it sending datagrams _from_ non-local IP
+addresses. All you have to do is to enable the (SOL_IP, IP_TRANSPARENT) socket
+option before calling bind:
+
+fd = socket(AF_INET, SOCK_STREAM, 0);
+/* - 8< -*/
+int value = 1;
+setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value));
+/* - 8< -*/
+name.sin_family = AF_INET;
+name.sin_port = htons(0xCAFE);
+name.sin_addr.s_addr = htonl(0xDEADBEEF);
+bind(fd, &name, sizeof(name));
+
+A trivial patch for netcat is available here:
+http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch
+
+
+2. Redirecting traffic
+======================
+
+Transparent proxying often involves "intercepting" traffic on a router. This is
+usually done with the iptables REDIRECT target, however, there are serious
+limitations of that method. One of the major issues is that it actually
+modifies the packets to change the destination address -- which might not be
+acceptable in certain situations. (Think of proxying UDP for example: you won't
+be able to find out the original destination address. Even in case of TCP
+getting the original destination address is racy.)
+
+The 'TPROXY' target provides similar functionality without relying on NAT. Simply
+add rules like this to the iptables ruleset above:
+
+# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
+ --tproxy-mark 0x1/0x1 --on-port 50080
+
+Note that for this to work you'll have to modify the proxy to enable (SOL_IP,
+IP_TRANSPARENT) for the listening socket.
+
next prev parent reply other threads:[~2007-10-13 17:39 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-13 17:28 [PATCH 00/14] Transparent Proxying Patches, Take 5 KOVACS Krisztian
2007-10-13 17:29 ` [PATCH 01/14] Loosen source address check on IPv4 output KOVACS Krisztian
2007-10-13 17:29 ` [PATCH 02/14] Implement IP_TRANSPARENT socket option KOVACS Krisztian
2007-10-13 17:30 ` [PATCH 03/14] Allow binding to non-local addresses if IP_TRANSPARENT is set KOVACS Krisztian
2007-10-13 17:31 ` [PATCH 04/14] Conditionally enable transparent flow flag when connecting KOVACS Krisztian
2007-10-13 17:31 ` [PATCH 05/14] Handle TCP SYN+ACK/ACK/RST transparency KOVACS Krisztian
2007-10-13 17:32 ` [PATCH 06/14] Port redirection support for TCP KOVACS Krisztian
2007-10-13 17:32 ` [PATCH 07/14] Export UDP socket lookup function KOVACS Krisztian
2007-10-13 17:33 ` [PATCH 08/14] Split Netfilter IPv4 defragmentation into a separate module KOVACS Krisztian
2007-10-13 17:33 ` [PATCH 09/14] iptables tproxy core KOVACS Krisztian
2007-10-13 17:34 ` [PATCH 10/14] iptables socket match KOVACS Krisztian
2007-10-13 17:34 ` [PATCH 11/14] iptables TPROXY target KOVACS Krisztian
2007-10-13 17:35 ` [PATCH 12/14] Don't lookup the socket if there's a socket attached to the skb KOVACS Krisztian
2007-10-13 17:35 ` [PATCH 13/14] " KOVACS Krisztian
2007-10-13 17:36 ` KOVACS Krisztian [this message]
2007-10-13 22:44 ` [PATCH 00/14] Transparent Proxying Patches, Take 5 David Miller
2007-10-14 9:05 ` KOVACS Krisztian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071013173611.22517.58118.stgit@nessa.odu \
--to=hidden@sch.bme.hu \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).