On Tue, Jun 04, 2002 at 04:50:36PM +0200, Balazs Scheidler wrote: > Hi, > > Suppose you have a TCP session, which is transparently redirected to a local > proxy. With the current state of the tproxy framework one need to add two > rules to iptables: > > - one to the tproxy table to actually redirect a session > - one to the filter table to let the NATed traffic enter the local stack (in > INPUT) > > I'd like to make tproxies easier to administer, so I'm thinking about a > simple way of matching tproxied packets, which can be ACCEPTed from the > INPUT chain. > > Possible solutions: > > * use a new state (called TPROXY), which would be applied to all TPROXYed > packets (might interact badly with nat/conntrack).
yes, and it is not really a state. > * have the tproxy framework mark all packets with an fwmark, and let the > packets in based on the value of fwmark fwmark should only be used as configured by the administrator. > * have a separate match (called tproxy), which matches tproxied sessions > based on some value stored in the associated conntrack entry this is the preferred solution from my point of view. > Bazsi -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
msg01181/pgp00000.pgp
Description: PGP signature
