[Bug 1295] [PATCH] Transparent proxy support on Linux

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Mar 12 23:39:16 EST 2007 

http://bugzilla.mindrot.org/show_bug.cgi?id=1295


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
Attachment #1250 is|0                           |1
           obsolete|                            |




------- Comment #4 from dtucker at zip.com.au  2007-03-12 23:39 -------
Created an attachment (id=1251)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1251&action=view)
Move Linux code to port-linux.c, add OpenBSD pf rdr support

I like this idea, and I've extended it a bit:
* added autoconf support
* moved linux/netfilter-specific code into openbsd-compat/port-linux.c
* added support for OpenBSD pf "rdr" rules
* made it easy to add new redirection interfaces.

On OpenBSD, you can use something like the following in pf.conf:

tun_net="192.168.34.0/24"
rdr pass on lo0 proto tcp from any to $tun_net -> 127.0.0.1 port 1080
pass out quick route-to (lo0 127.0.0.1) from any to $tun_net

(the route-to is needed because pf rdr rules don't apply to outbound
packets, so without it you can't redirect locally originated
connections).

For anyone wondering how this compares to the tun(4) interface that's
already there: it's less flexible (TCP only, requires good name
resolution on the client end) but doesn't require privilege on the
server (or anything other than standard port forwarding) and doesn't
suffer from the TCP-over-IP-over-TCP performance potential problems (ie
stacked retransmits when the link experiences packet loss).

For the truly twisted: you can also achieve something similar to this
patch *without* special kernel support (other than ppp/slip) if you
build slirp socksified and point it to a DynamicForward.  (I've
actually done this, but it turns out I wasn't the first to think of it.
 I dunno if I'm disappointed or relieved :-)




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list