Hi Krisztian! On Wed, Jan 03, 2007 at 05:33:57PM +0100, KOVACS Krisztian wrote: > So instead of using NAT to dynamically redirect traffic to local > addresses, we now rely on "native" non-locally-bound sockets and do > early socket lookups for inbound IPv4 packets.
It's good to see a solid implementation of this 'old idea'. Just as a quick historical note to netdev: This is the way how the netfilter project advised the balabit guys to implement fully transparent proxy support, after having seen the complexity of the old nat-based TPROXY patches. So I personally support this patchset and vote for it to be included (with whatever modifications netdev deems apropriate) It might be that there now is the experimental netchannels system which might provide an even better way for transparent proxy support. However, ever since ip_tables was merged in the 2.3.x days, we have lacked good support for transparent proxies. Now that the first incarnation of the NAT based TPROXY patch for 2.4.x had to be developed and maintained out-of-tree for many years, I definitely think it's better to merge the new, way less intrusive, patchset. Some interested party can work on a netchannels implementation later on, but that's the next generation... Cheers, -- - Harald Welte <[EMAIL PROTECTED]> http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
signature.asc
Description: Digital signature
