From patchwork Thu Oct 2 09:37:44 2008 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: KOVACS Krisztian X-Patchwork-Id: 2364 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 699CFDDF13 for ; Thu, 2 Oct 2008 19:38:02 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752781AbYJBJh4 (ORCPT ); Thu, 2 Oct 2008 05:37:56 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752662AbYJBJhz (ORCPT ); Thu, 2 Oct 2008 05:37:55 -0400 Received: from balu.sch.bme.hu ([152.66.208.40]:43432 "EHLO balu.sch.bme.hu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752649AbYJBJhy (ORCPT ); Thu, 2 Oct 2008 05:37:54 -0400 Received: from [192.168.1.105] ([194.2.45.170]) by balu.sch.bme.hu (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTPSA id <0K83000W7UQ02AB0@balu.sch.bme.hu>; Thu, 02 Oct 2008 11:37:17 +0200 (CEST) Date: Thu, 02 Oct 2008 11:37:44 +0200 From: KOVACS Krisztian Subject: Re: [RESEND net-next PATCH 16/16] Add documentation In-reply-to: <20081001092234.a0658f40.randy.dunlap@oracle.com> To: Randy Dunlap Cc: David Miller , Patrick McHardy , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Message-id: <1222940264.7058.3.camel@este> MIME-version: 1.0 X-Mailer: Evolution 2.22.3.1 Content-type: text/plain Content-transfer-encoding: 7BIT References: <20081001142431.4893.48078.stgit@este> <20081001142431.4893.5367.stgit@este> <20081001092234.a0658f40.randy.dunlap@oracle.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Hi, On Wed, 2008-10-01 at 09:22 -0700, Randy Dunlap wrote: > Thanks. > --- > ~Randy Fixed, thanks a lot. --- Add basic usage instructions to Documentation/networking. Signed-off-by: KOVACS Krisztian --- Documentation/networking/tproxy.txt | 85 +++++++++++++++++++++++++++++++++++ 1 files changed, 85 insertions(+), 0 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/Documentation/networking/tproxy.txt b/Documentation/networking/tproxy.txt new file mode 100644 index 0000000..7b5996d --- /dev/null +++ b/Documentation/networking/tproxy.txt @@ -0,0 +1,85 @@ +Transparent proxy support +========================= + +This feature adds Linux 2.2-like transparent proxy support to current kernels. +To use it, enable NETFILTER_TPROXY, the socket match and the TPROXY target in +your kernel config. You will need policy routing too, so be sure to enable that +as well. + + +1. Making non-local sockets work +================================ + +The idea is that you identify packets with destination address matching a local +socket on your box, set the packet mark to a certain value, and then match on that +value using policy routing to have those packets delivered locally: + +# iptables -t mangle -N DIVERT +# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT +# iptables -t mangle -A DIVERT -j MARK --set-mark 1 +# iptables -t mangle -A DIVERT -j ACCEPT + +# ip rule add fwmark 1 lookup 100 +# ip route add local 0.0.0.0/0 dev lo table 100 + +Because of certain restrictions in the IPv4 routing output code you'll have to +modify your application to allow it to send datagrams _from_ non-local IP +addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket +option before calling bind: + +fd = socket(AF_INET, SOCK_STREAM, 0); +/* - 8< -*/ +int value = 1; +setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value)); +/* - 8< -*/ +name.sin_family = AF_INET; +name.sin_port = htons(0xCAFE); +name.sin_addr.s_addr = htonl(0xDEADBEEF); +bind(fd, &name, sizeof(name)); + +A trivial patch for netcat is available here: +http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch + + +2. Redirecting traffic +====================== + +Transparent proxying often involves "intercepting" traffic on a router. This is +usually done with the iptables REDIRECT target; however, there are serious +limitations of that method. One of the major issues is that it actually +modifies the packets to change the destination address -- which might not be +acceptable in certain situations. (Think of proxying UDP for example: you won't +be able to find out the original destination address. Even in case of TCP +getting the original destination address is racy.) + +The 'TPROXY' target provides similar functionality without relying on NAT. Simply +add rules like this to the iptables ruleset above: + +# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ + --tproxy-mark 0x1/0x1 --on-port 50080 + +Note that for this to work you'll have to modify the proxy to enable (SOL_IP, +IP_TRANSPARENT) for the listening socket. + + +3. Iptables extensions +====================== + +To use tproxy you'll need to have the 'socket' and 'TPROXY' modules +compiled for iptables. A patched version of iptables is available +here: http://git.balabit.hu/?p=bazsi/iptables-tproxy.git + + +4. Application support +====================== + +4.1. Squid +---------- + +Squid 3.HEAD has support built-in. To use it, pass +'--enable-linux-netfilter' to configure and set the 'tproxy' option on +the HTTP listener you redirect traffic to with the TPROXY iptables +target. + +For more information please consult the following page on the Squid +wiki: http://wiki.squid-cache.org/Features/Tproxy4