From: Brian Haley <brian.haley@hp.com>
To: Balazs Scheidler <bazsi@balabit.hu>
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH 13/13] TProxy: use the interface primary IP address as a default value for --on-ip
Date: Tue, 22 Sep 2009 10:17:19 -0400 [thread overview]
Message-ID: <4AB8DC6F.90602@hp.com> (raw)
In-Reply-To: <1253601509.6883.5.camel@bzorp.balabit>
Balazs Scheidler wrote:
> On Mon, 2009-09-21 at 14:00 -0400, Brian Haley wrote:
>> Balazs Scheidler wrote:
>>> #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
>>> +
>>> +static inline const struct in6_addr *
>>> +tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr, const struct in6_addr *daddr)
>>> +{
>>> + struct inet6_dev *indev;
>>> + struct inet6_ifaddr *ifa;
>>> + struct in6_addr *laddr;
>>> +
>>> + if (!ipv6_addr_any(user_laddr))
>>> + return user_laddr;
>>> +
>>> + laddr = NULL;
>>> + rcu_read_lock();
>>> + indev = __in6_dev_get(skb->dev);
>>> + if (indev && (ifa = indev->addr_list)) {
>>> + laddr = &ifa->addr;
>>> + }
>>> + rcu_read_unlock();
>>> +
>>> + return laddr ? laddr : daddr;
>>> +}
>> You should call ipv6_dev_get_saddr() to get a source address based on the target
>> destination address.
>
> Thanks for this hint, however this is not selecting a source address for
> a given destination, rather it selects the address where tproxy is
> redirecting the connection in case the user specified no --on-ip
> parameter.
>
> e.g.
>
> ip6tables -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port 50080
>
> This should redirect the connection to the primary IP address of the
> incoming interface. In fact I spent 2 hours to figure out how to find
> the proper address, and at the end I used the first IP address
> configured to the interface, seeing that those addresses are sorted in
> 'scope' order, e.g. link-local and site-local addresses are at the end
> of the list, thus the front should be ok.
Yes, the addresses are sorted by scope, but just because they're in the
list doesn't mean they can be used, for example that address might have
failed DAD or be Deprecated. ipv6_dev_get_saddr() will follow the rules
from RFC 3484 in picking the best address to use, or none if there isn't
anything appropriate.
> Since I'm not that much into IPv6, I'd appreciate some help, is
> ipv6_dev_get_saddr(client_ip_address) indeed the best solution here?
Probably. An alternative might be to use ip6_dst_lookup() (see tcp_v6_connect()),
but a lot more code for you.
-Brian
next prev parent reply other threads:[~2009-09-22 14:17 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-21 14:46 [PATCH 13/13] TProxy: use the interface primary IP address as a default value for --on-ip Balazs Scheidler
2009-09-21 18:00 ` Brian Haley
2009-09-22 6:38 ` Balazs Scheidler
2009-09-22 14:17 ` Brian Haley [this message]
2009-09-25 18:07 ` Balazs Scheidler
2009-09-28 16:16 ` Brian Haley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AB8DC6F.90602@hp.com \
--to=brian.haley@hp.com \
--cc=bazsi@balabit.hu \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).