Hi,
On Mon, Sep 03, 2001 at 04:16:21PM +0300, Nadav Har'El wrote:
> On Mon, Sep 03, 2001, Andrey Savochkin wrote about "Re: Transparent proxy support in 2.4 - revisited":
> > In 2.2 kernel you also needed to configure which incoming packets you want to
> > handle locally.
>
> If I remember correctly, no such configuration was needed if the
> CONFIG_IP_TRANSPARENT_PROXY compilation flag was enabled. As I understand from
> a cursory examination of the 2.2 source, Whenever packets were received and
> were not meant for the local address, a check would be made if they meant for
> one of the transparent-proxied connections (i.e., connections whose local
> endpoint isn't local).
I don't remember for sure, but packet processing layering suggests that you
still needed to do something. Otherwise the packet will be forwarded on the
routing level and will never reach socket layer.
So, ipchains rule was still necessary.
The really difference of 2.2 was amasingly complex socket lookup procedure
with CONFIG_IP_TRANSPARENT_PROXY turned on.
> This is the kind of thing I need in Linux 2.4 too.
> I'm still puzzled by the fact that this support simply disappeared between
> 2.2 and 2.4, and nobody seems to know why (or people who know why don't
> reply).
It had been broken in 2.2 for months and nobody repaired it => nobody needed
it. I don't know, whether it works now or not.
The implementation was crooked, difficult to understand and maintain...
> > If you want to handle locally all packets destined to a specific IP address,
> > just add local route.
> > If you want some complex matching rules, check iptables, there was something
> > about "redirects" there.
>
> Remember that the reverse proxy machine, the one faking connections with an
> adjacent server (as if they are coming from the actual clients) also serves
> as the the gateway for that server and needs to forward packets for it.
How are you going to determine whether the packet is destined to you or two
the real server?
That's the main question.
> So I can't redirect *all* packets to local sockets, yet I also can't pick
> specific IP addresses to redirect (unless I write some sort of hack to
> modify the iptables tables dynamically as new non-local bind()s happen).
> Not to mention that the standard redirect, which also rewrites the destination
> address on the packet (if I remember correctly), isn't quite what I need when
If it's true, the redirecting module is the place to change the policy to what
you need.
If the module always rewrites the destination IP address, and it can't be
turned off, it's certainly a misfeature.
Make it conditional, or just make a quick hack for yourself, or copy the
existing redirect module, fix it and use the new module.
> I already have a socket bound to a non-local address.
Best regards
Andrey
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Sep 07 2001 - 21:00:18 EST