Hi,
On Mon, Sep 03, 2001 at 01:12:40PM +0300, Nadav Har'El wrote:
> A few months ago, I asked on this list why the transparent proxy feature
> (CONFIG_IP_TRANSPARENT_PROXY) that was supported in Linux 2.2 is no longer
> supported in Linux 2.4:
>
[snip]
> Andrey Savochkin wrote a useful reply, on how to make the connect work():
>
> > To make a custom kernel where you can use non-local addresses more freely,
> > find source address checks in ip_route_output_slow() and get rid of all of
> > them except considering
> > MULTICAST(saddr) || BADCLASS(saddr) || ZERONET(saddr) ||
> > saddr == htonl(INADDR_BROADCAST)
> > as invalid.
>
> I did that, and indeed now connect() works, and sends out (when considering
> TCP) the appropriate SYN packet.
>
> Unfortunately, that's not enough. When the return SYN-ACK packet carrying a
> non-local destination address is received (in practice, the transparent
> proxy machine is acting as a default gateway to the other machine), this
> packet is either ignored or forwarded out (depending on ip_forward), but is
> never accepted as a local packet and transfered to the appropriate socket
> as it should.
Right.
In 2.2 kernel you also needed to configure which incoming packets you want to
handle locally.
If you want to handle locally all packets destined to a specific IP address,
just add local route.
If you want some complex matching rules, check iptables, there was something
about "redirects" there. Alternatively, you may set up policy routing, but
it'll be considerably more difficult.
You seemed to start to solve your problems from the wrong end.
First of all, decide how to handle incoming packets.
Then consider outgoing.
Andrey
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Sep 07 2001 - 21:00:17 EST