* Re-route non-http traffic
@ 2010-11-01 2:51 Robert Pipca
2010-11-01 5:39 ` Amos Jeffries
2010-11-01 15:03 ` Grant Taylor
0 siblings, 2 replies; 3+ messages in thread
From: Robert Pipca @ 2010-11-01 2:51 UTC (permalink / raw)
To: netfilter
Hi,
I'm using squid as a webcache in bridge-mode.
I use ebtables on tcp/80 to get the http traffic.
The thing is: this is an ISP, so some clients are companies that use
tcp/80 to non-http traffic (proprietary protocols mostly, eg.
biometric identification machines on a medical institution, for
instance).
So my question is: Since I can know what's the dst IP when the
connection arrives on netfilter, can I do something like:
"redirect this to the squid port, but save the destination IP".
If squid sees this is not http-traffic, sends the connection to _that_
saved destination IP...and everybody is happy.
Is it possible currently? Or is some coding necessary? We can help with that..
Please cc me on replies, please.
Thanks!
- Robert
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Re-route non-http traffic
2010-11-01 2:51 Re-route non-http traffic Robert Pipca
@ 2010-11-01 5:39 ` Amos Jeffries
2010-11-01 15:03 ` Grant Taylor
1 sibling, 0 replies; 3+ messages in thread
From: Amos Jeffries @ 2010-11-01 5:39 UTC (permalink / raw)
To: Robert Pipca; +Cc: netfilter
On 01/11/10 15:51, Robert Pipca wrote:
> Hi,
>
> I'm using squid as a webcache in bridge-mode.
>
> I use ebtables on tcp/80 to get the http traffic.
>
> The thing is: this is an ISP, so some clients are companies that use
> tcp/80 to non-http traffic (proprietary protocols mostly, eg.
> biometric identification machines on a medical institution, for
> instance).
>
> So my question is: Since I can know what's the dst IP when the
> connection arrives on netfilter, can I do something like:
>
> "redirect this to the squid port, but save the destination IP".
>
> If squid sees this is not http-traffic, sends the connection to _that_
> saved destination IP...and everybody is happy.
>
> Is it possible currently? Or is some coding necessary? We can help with that..
>
That is not possible at all. No "currently" about it.
You have to detect and bypass the connections before attempting to
redirect to Squid. Once the first identifiable byte of non-HTTP hits
Squid the TCP setup packets are already long gone. Depending on the data
up to 64KB may also have already flowed through the connection.
AYJ
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Re-route non-http traffic
2010-11-01 2:51 Re-route non-http traffic Robert Pipca
2010-11-01 5:39 ` Amos Jeffries
@ 2010-11-01 15:03 ` Grant Taylor
1 sibling, 0 replies; 3+ messages in thread
From: Grant Taylor @ 2010-11-01 15:03 UTC (permalink / raw)
To: Mail List - Netfilter; +Cc: robertpipca
On 10/31/10 21:51, Robert Pipca wrote:
> If squid sees this is not http-traffic, sends the connection to
> _that_ saved destination IP...and everybody is happy.
>
> Is it possible currently? Or is some coding necessary? We can help
> with that..
Can you not exclude specific destination IPs from the redirection to
Squid (before the redirect even happens)?
Grant. . . .
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-11-01 15:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-11-01 2:51 Re-route non-http traffic Robert Pipca
2010-11-01 5:39 ` Amos Jeffries
2010-11-01 15:03 ` Grant Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).