* [PATCH 0/2] TProxy: socket match: transparent option, removed nf_conntrack dependency
@ 2009-04-24 13:26 Laszlo Attila Toth
0 siblings, 0 replies; only message in thread
From: Laszlo Attila Toth @ 2009-04-24 13:26 UTC (permalink / raw)
To: Netfilter Developer Mailing List, Patrick McHardy
Hi Patrick,
we extended a missing feature of the socket match that it can check the
'transparent' member of the socket's structure. The original behaviour
was that all of the sockets matched if they weren't listening on the
0.0.0.0 IP address, even if they were unrelated to the TProxy, such as
ssh or other servers.
The IP_TRANSPARENT socket option is always set for the sockets using the
TProxy, thus the following patch lets matching only these:
iptables ... -m socket --transparent ...
When I tested the new option, I found that NETFILTER_TPROXY depends on
NF_CONNTRACK, which is unwanted, it works without it.
--
Panther
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2009-04-24 13:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-24 13:26 [PATCH 0/2] TProxy: socket match: transparent option, removed nf_conntrack dependency Laszlo Attila Toth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).