[3737] in linux-net channel archive
Re: CONFIG_IP_TRANSPARENT_PROXY sample programs?
daemon@ATHENA.MIT.EDU (David Bonn)
Wed Jul 17 15:40:35 1996
Date: Tue, 16 Jul 1996 12:45:03 -0700
From: David Bonn <david@sealabs.com>
To: Nigel Metheringham <Nigel.Metheringham@theplanet.net>
Cc: David Bonn <david@sealabs.com>, Matthias Urlichs <smurf@smurf.noris.de>,
linux-net@vger.rutgers.edu, jos@xos.nl
In-Reply-To: <m0ug8Iu-00053PC@dingo.theplanet.co.uk>
>>>>> "Nigel" == Nigel Metheringham <Nigel.Metheringham@theplanet.net> writes:
Nigel> david@sealabs.com said:
Nigel> } My current thinking is that transparent proxies can be used quite
Nigel> } efficiently to manage ip masquerading connections. Using a
Nigel> } transparent proxy for the ftp control connection won't have a
Nigel> } noticable performance impact, but makes for cleaner, more robust code
Nigel> } when it comes to building ip masquerading entries for the data
Nigel> } connection.
Nigel> I'd agree with this *except* that we then have a user level proxy
Nigel> (for the ftp control connection) controlling kernel level
Nigel> masquerading streams (for the data connections). All well and good,
Nigel> but we need a means of doing this....
Nigel> So we need some kernel hooks, I guess something like this off-hand:-
Nigel> - setup masq tunnel (this is the type of connection that shows
Nigel> up in /proc/net/ip_masquerade rather than the firewall rules
Nigel> that are normally manipulated).
Nigel> - other masq tunnel manipulations - tear down, timeouts etc
Nigel> - do we need information back on when something has happened
Nigel> to a masqed tunnel - ie when its shut down??
Nigel> This can be done by reading /proc/net/ip_masquerade
One big win to this approach is that masquerade support for goofy
protocols can be done simply and cleanly in user space rather than
loadable modules. This (to me) seems easier to understand. It will
also work correctly in a few pathological cases where the current
masquerade modules may not.
Nigel> 2. Is this user/kernel split a good idea - would it be stable?
It seems to be working okay for me right now. Admittedly the solution
is hacked...
Nigel> 3. The alternative is to do the whole lot in the kernel.
Nigel> Can you get a transparent proxy like (streamed TCP) interface
Nigel> within a kernel module?
This would help a lot, and that gets close to the core problem that
we're trying to solve. I don't know how possible it is, though.
dwb
