On Tue, 15 Sep 2009 04:13:20 +0200, Henrik Nordstrom
<henrik_at_henriknordstrom.net> wrote:
> tis 2009-09-15 klockan 12:28 +1200 skrev Amos Jeffries:
>
>> The big reason is that TPROXY passes the IPs to Squid inverted via
>> accept(). There is no probe like the NAT ORIGINAL_DST to separate the
>> TPROXY and non-TPROXY received connections. The only way to identify
this
>> IP inversion is the flags in squid.conf.
>
> Yes, but here we are talking about the other side, when Squid makes the
> outgoing connection. That part do not need to depend in any way on how
We are talking about setting http_port (incoming) options. Or so I thought.
> the request arrived at Squid, just on where the request is heading
> (routing of return traffic for the client via Squid server).
>
> Should in theory work to enable tproxy spoofing even for normal proxied
> connections.
That would be some other functionality not related to what the existing
http_port tproxy flag does. Spoofing without handling inbound spoofed
requests. IMO it is as nice to use as a certain login function turned out
to be.
You can try it I suppose. I suspect there is likely some kernel
implementation bits that prevent random IP spoofing though. The only limit
in Squid is that spoof_client_ip flag must be set before tcp outgoing
address is selected.
Amos
Received on Tue Sep 15 2009 - 02:44:04 MDT
This archive was generated by hypermail 2.2.0 : Tue Sep 15 2009 - 12:00:02 MDT