> > It doesn't handle currently any of them. Fragmentation can be solved by > > defragmenting incoming packets. (they are destined to the local ip stack > > anyway) > > Defragmentation is defenitely needed for this thing to be used in production. > For experimentation conntrack can be used to defragment..
In my previous attempts to forward port the transparent proxy features of 2.2, I simply used ip_defrag(skb), which returned non-NULL when a full fragment was reassembled. > > ICMP can be handled in the prerouting hook looking up possible transparent > > proxy entries. > > Where is the "possible transparent proxy entries" defined? Internally in > TPROXY, or in the host IP stack socket table? in TPROXY. > I guess this would be the rule table telling what should be diverted by > TPROXY, which from my understanding would be your iptables ruleset... No. I have -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1