From: KOVACS Krisztian <hidden@sch.bme.hu>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org,
Balazs Scheidler <bazsi@balabit.hu>,
Toth Laszlo Attila <panther@balabit.hu>
Subject: Re: [PATCH 11/13] iptables TPROXY target
Date: Mon, 1 Oct 2007 01:06:40 +0200 [thread overview]
Message-ID: <200710010106.40769@nessa> (raw)
In-Reply-To: <470029A1.9000506@trash.net>
Hi Patrick,
On Monday 01 October 2007, Patrick McHardy wrote:
> KOVACS Krisztian wrote:
> > Hi Patrick,
> >
> > On Monday 01 October 2007, Patrick McHardy wrote:
> >> KOVACS Krisztian wrote:
> >>> The TPROXY target implements redirection of non-local TCP/UDP
> >>> traffic to local sockets. Additionally, it's possible to manipulate
> >>> the packet mark if and only if a socket has been found. (We need
> >>> this because we cannot use multiple targets in the same iptables
> >>> rule.)
> >>>
> >>> Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
> >>> ---
> >>> +++ b/include/linux/netfilter_ipv4/ipt_TPROXY.h
> >>> @@ -0,0 +1,14 @@
> >>> +#ifndef _IPT_TPROXY_H_target
> >>> +#define _IPT_TPROXY_H_target
> >>> +
> >>> +/* TPROXY target is capable of marking the packet to perform
> >>> + * redirection. We can get rid of that whenever we get support for
> >>> + * mutliple targets in the same rule. */
> >>> +struct ipt_tproxy_target_info {
> >>> + __be32 laddr;
> >>> + __be16 lport;
> >>> + unsigned long mark_mask;
> >>> + unsigned long mark_value;
> >>
> >> This should use fixed size types.
> >
> > Yes, but marks are unsigned longs, aren't they? So if we restrict
> > this to say 32bit then we lose the ability to use the upper half of
> > the mark...
>
> No, marks are 32 bit for a long time now. The unsigned longs in
> the mark target and matches are just there for compatiblity.
Indeed, I must have missed this. Obviously if this is the case then we
don't need all this cruft and can simply use 32 bit mark fields (and the
reordered info structure Jan suggested.)
> (BTW, going to sleep now, will continue tommorrow)
OK, me too. :)
--
KOVACS Krisztian
next prev parent reply other threads:[~2007-09-30 23:06 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-30 20:51 [PATCH 00/13] Transparent Proxying Patches, Take 3 KOVACS Krisztian
2007-09-30 20:51 ` [PATCH 01/13] Loosen source address check on IPv4 output KOVACS Krisztian
2007-09-30 22:12 ` Patrick McHardy
2007-09-30 20:52 ` [PATCH 02/13] Implement IP_TRANSPARENT socket option KOVACS Krisztian
2007-09-30 22:12 ` Patrick McHardy
2007-09-30 20:52 ` [PATCH 03/13] Allow binding to non-local addresses if IP_TRANSPARENT is set KOVACS Krisztian
2007-09-30 22:12 ` Patrick McHardy
2007-09-30 20:52 ` [PATCH 04/13] Conditionally enable transparent flow flag when connecting KOVACS Krisztian
2007-09-30 20:52 ` [PATCH 05/13] Handle TCP SYN+ACK/ACK/RST transparency KOVACS Krisztian
2007-09-30 21:45 ` Jan Engelhardt
2007-09-30 21:46 ` Jan Engelhardt
2007-09-30 21:59 ` KOVACS Krisztian
2007-09-30 22:02 ` Jan Engelhardt
2007-09-30 21:58 ` KOVACS Krisztian
2007-09-30 22:23 ` Patrick McHardy
2007-10-01 19:27 ` KOVACS Krisztian
2007-09-30 20:52 ` [PATCH 06/13] Port redirection support for TCP KOVACS Krisztian
2007-09-30 22:26 ` Patrick McHardy
2007-09-30 22:49 ` KOVACS Krisztian
2007-10-01 14:09 ` Patrick McHardy
2007-10-01 14:24 ` KOVACS Krisztian
2007-09-30 20:52 ` [PATCH 07/13] Export UDP socket lookup function KOVACS Krisztian
2007-09-30 20:53 ` [PATCH 08/13] Split Netfilter IPv4 defragmentation into a separate module KOVACS Krisztian
2007-09-30 22:35 ` Patrick McHardy
2007-09-30 20:53 ` [PATCH 09/13] iptables tproxy core KOVACS Krisztian
2007-09-30 22:37 ` Patrick McHardy
2007-09-30 20:53 ` [PATCH 10/13] iptables socket match KOVACS Krisztian
2007-09-30 21:43 ` Jan Engelhardt
2007-09-30 22:15 ` [PATCH 10/13] xt_socket Jan Engelhardt
2007-09-30 20:53 ` [PATCH 11/13] iptables TPROXY target KOVACS Krisztian
2007-09-30 21:40 ` [PATCH 11/13] xtables " Jan Engelhardt
2007-09-30 22:07 ` KOVACS Krisztian
2007-09-30 22:20 ` [PATCH 11/13] xt_TPROXY Jan Engelhardt
2007-09-30 23:04 ` KOVACS Krisztian
2007-09-30 22:43 ` [PATCH 11/13] iptables TPROXY target Patrick McHardy
2007-09-30 22:50 ` Jan Engelhardt
2007-09-30 22:51 ` KOVACS Krisztian
2007-09-30 22:56 ` Patrick McHardy
2007-09-30 23:06 ` KOVACS Krisztian [this message]
2007-09-30 22:57 ` Jan Engelhardt
2007-10-01 14:11 ` Patrick McHardy
2007-09-30 20:53 ` [PATCH 12/13] Don't lookup the socket if there's a socket attached to the skb KOVACS Krisztian
2007-09-30 20:53 ` [PATCH 13/13] " KOVACS Krisztian
2007-09-30 22:01 ` [PATCH 00/13] Transparent Proxying Patches, Take 3 Patrick McHardy
2007-09-30 22:13 ` KOVACS Krisztian
-- strict thread matches above, loose matches on Subject: below --
2007-10-02 20:39 [PATCH 00/13] Transparent Proxying Patches, Take 4 KOVACS Krisztian
2007-10-02 20:45 ` [PATCH 11/13] iptables TPROXY target KOVACS Krisztian
2007-10-08 8:34 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200710010106.40769@nessa \
--to=hidden@sch.bme.hu \
--cc=bazsi@balabit.hu \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=panther@balabit.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).