Transparent Proxying

Transparent Proxying

[Herbert Xu]

Hi Dave:

I need to implement a semi-transparent TCP proxy for work.  The requirement
is that it'll intercept all TCP connections passing through and redirect
them to a local port.  Once there the connection will be forwarded through
a non-TCP protocol (that's why it's only semi-transparent, in fact it's
only a half-TCP proxy :)

Redirecting is easy through the REDIRECT netfilter target.  But the tricky
bit is getting the original destination address so that we can forward this
information to our peer who will turn the connection back into TCP.  Since
this proxy has to be completely generic it cannot rely on ULP-specific
information to deduce the destination address.

I looked around and found the TPROXY patch which is part of pom-ng.
It is capable of providing the information I need via a getsockopt()
call.

The only catch is that you seem to have some objections to it :)

So I'd like to know your objections against the patch and how they
might be overcome.  If you know another way of getting the destination
information then that would be good to (apart from the obvious one
of parsing /proc/net/ip_conntrack :)

Thanks in advance,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: Transparent Proxying

[Herbert Xu]

On Wed, Aug 04, 2004 at 01:27:56PM +1000, herbert wrote:
>
> might be overcome.  If you know another way of getting the destination
> information then that would be good to (apart from the obvious one
> of parsing /proc/net/ip_conntrack :)

Never mind, I somehow missed getorigdst in ip_conntrack_core.c which
does exactly what I want.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: Transparent Proxying

[nick black]

On 2004-08-04, Herbert Xu <herbert@gondor.apana.org.au> wrote:
> I looked around and found the TPROXY patch which is part of pom-ng.
> It is capable of providing the information I need via a getsockopt()
> call.

I had to do something similar recently.  While the entirety of TPROXY
has not been accepted from what I could tell (particularly non-local
binding supplying a routing context), the SO_ORIGINAL_DST sockopt
referenced while searching for it works under at least late 2.4:

struct sockaddr_in daddr;
socklen_t slen;

memset(&daddr,0,sizeof(daddr));
daddr.sin_family = AF_INET;
slen = sizeof(daddr);
if(getsockopt(accepted_sd,SOL_IP,SO_ORIGINAL_DST,&daddr,&slen)){
	close(accepted_sd);
	return -1;
}

-- 
nick black                  "np:  the class of dashed hopes and idle dreams."
free hearts, free foreheads -- you and i are old; old age hath yet his honour
and his toil; death closes all: but something ere the end, some work of noble
note, may yet be done, not unbecoming men that strove with gods.   (tennyson)