Re: [PATCH 00/11] TProxy for IPv6

[Balazs Scheidler <bazsi@balabit.hu>]

On Fri, 2009-09-04 at 18:07 +1200, Amos Jeffries wrote:
> Balazs Scheidler wrote:
> > [ Sorry if this reaches you twice, I sent to the wrong address the first time ]
> > 
> > I've just pushed a set of patches that implement TProxy for IPv6 to
> > 
> > http://git.balabit.hu/bazsi/tproxy-2.6.git
> > 
> > The patches are also posted in reply to this mail.
> > 
> > Although some work is still needed, basic testing shows that it works all
> > right.  
> > 
> > The accompanying iptables patches are available at
> > 
> > http://git.balabit.hu/bazsi/iptables-tproxy.git
> > 
> > There are some things left to do:
> > 
> >   * the recognition of related ICMPv6 packets missing (from xt_socket.c)
> > 
> >   * I should probably split xt_TPROXY/xt_socket to IPv4 and IPv6 modules, as
> >     right now those depend on both stacks at the same time.
> > 
> > I'm on a holiday right now, thus I might not respond to comments in a timely
> > manner, however I'm interested in any comments/feedback nevertheless.
> > 
> > Harry, I didn't remember that you actually wanted to work on TProxy for
> > IPv6, I just vaguely remembered that there was someone asking for IPv6
> > support, thus I implemented this without being in the know.  If you started
> > hacking, I hope that we didn't completely duplicate effort.  I'd appreciate
> > help in the missing bits and/or testing whichever fits you best.
> > 
> > Also, I have written a Python test script to test TProxy functionality
> > automatically both for IPv4 and IPv6, I can post that as well if anyone is
> > interested.
> 
> I'm interested :)
> 
> Now that you have done this I'm going to have to find a robust userland 
> run-time test to see if the underlying TPROXY is v4-only or v6-enabled. 
> If anyone has suggestions they would be welcome.
> 
> Thank you very much by the way.

The script I wrote is not a runtime test, it is a functional test that
tests various TPROXY scenarios for proper functionality.

It basically assumes that:
  1) you run it on the 'client' host, and it has ssh connectivity to the
'tproxy' host
  2) it assumes that IP/route configuration is already prepared
  3) it uses hardwired IP addresses, but generates iptables/ip6tables
rules automatically

I used a virtual machine running on my development computer to do the
testing.

IPV6 topology:

dead:1::1/64 is the client
dead:1::2/64 is the proxy box
dead:2::1/64 is the server behind the proxy box

The script basically copies an agent script to the other box
(test-agent.py) and uses that to change iptables config/start listeners
as needed. Then initiates tcp/udp connections to the target host and
checks if the proper listener received the new connection or a bogus
one.

I'm not that responsive these days, but I'm glad to help.

Last but not least, here's the gitweb interface:

http://git.balabit.hu/?p=bazsi/tproxy-test.git;a=summary

and the git URL

git://git.balabit.hu/bazsi/tproxy-test.git


-- 
Bazsi