[PATCH/RFC 00/10] Transparent proxying patches version 4
Harald Welte
laforge at netfilter.org
Sun Jan 7 15:11:34 CET 2007
Hi Krisztian!
On Wed, Jan 03, 2007 at 05:33:57PM +0100, KOVACS Krisztian wrote:
> So instead of using NAT to dynamically redirect traffic to local
> addresses, we now rely on "native" non-locally-bound sockets and do
> early socket lookups for inbound IPv4 packets.
It's good to see a solid implementation of this 'old idea'.
Just as a quick historical note to netdev: This is the way how the
netfilter project advised the balabit guys to implement fully
transparent proxy support, after having seen the complexity of the old
nat-based TPROXY patches.
So I personally support this patchset and vote for it to be included
(with whatever modifications netdev deems apropriate)
It might be that there now is the experimental netchannels system which
might provide an even better way for transparent proxy support.
However, ever since ip_tables was merged in the 2.3.x days, we have
lacked good support for transparent proxies. Now that the first
incarnation of the NAT based TPROXY patch for 2.4.x had to be developed
and maintained out-of-tree for many years, I definitely think it's
better to merge the new, way less intrusive, patchset.
Some interested party can work on a netchannels implementation later on,
but that's the next generation...
Cheers,
--
- Harald Welte <laforge at netfilter.org> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter-devel/attachments/20070107/a512bf29/attachment.pgp
More information about the netfilter-devel
mailing list