what about check the conn s_addr and SO_ORIGINAL_DST s_addr like squid?
==== squid-2.7.STABLE9 src/client_side.c ====
*...*
*#elif LINUX_NETFILTER*
*static int*
*clientNatLookup(ConnStateData * conn)*
*{*
* socklen_t sock_sz = sizeof(conn->me);*
* struct in_addr orig_addr = conn->me.sin_addr;*
* static time_t last_reported = 0;*
* /* If the call fails the address structure will be unchanged */*
* if (getsockopt(conn->fd, SOL_IP, SO_ORIGINAL_DST, &conn->me, &sock_sz)
!= 0) {*
* if (squid_curtime - last_reported > 60) {*
* debug(50, 1) ("clientNatLookup: NF getsockopt(SO_ORIGINAL_DST)
failed: %s\n", xstrerror());*
* last_reported = squid_curtime;*
* }*
* return -1;*
* }*
* debug(33, 5) ("clientNatLookup: addr = %s",
inet_ntoa(conn->me.sin_addr));*
* if (orig_addr.s_addr != conn->me.sin_addr.s_addr)*
* return 0;*
* else*
* return -1;*
*}*
*...*
====
in nginx, it is about $server_addr and the SO_ORIGINAL_DST IPaddress (need
a patch to get).
huaqiuyu
2013/5/4 Willy Tarreau <w...@1wt.eu>
> On Fri, May 03, 2013 at 10:01:50PM +0800, Jianhua Qin wrote:
> > Thanks for the quick reply. I fix it by using some iptables rules
> > just as you said.
> > Can it be avoided naturely?
>
> No, because "transparent" is really meant to be used that way. And haproxy
> has no way of knowing that the destination address will point to it, as it
> is supposed to be dealt with by the system.
>
> Willy
>
>
