On Sun, Jan 07, 2007 at 05:11:06PM +0100, Lennert Buytenhek wrote: > On Sun, Jan 07, 2007 at 03:11:34PM +0100, Harald Welte wrote: > > > > So instead of using NAT to dynamically redirect traffic to local > > > addresses, we now rely on "native" non-locally-bound sockets and do > > > early socket lookups for inbound IPv4 packets. > > > > It's good to see a solid implementation of this 'old idea'. > > > > Just as a quick historical note to netdev: This is the way how the > > netfilter project advised the balabit guys to implement fully > > transparent proxy support, after having seen the complexity of the old > > nat-based TPROXY patches. > > Didn't rusty tell the balabit guys to use the NAT approach?
that was originally, way back. It turned out to be a bad idea, after all... way too complex. At least that's how I look at it. Too sad :( Rusty and me then had the idea about the routing based approach at some point, if I remember correctly. We talked about it with Krisztian and Balazs at least on one occasion. All that isn't really important. All I wanted to say was: "I (and AFAIR the netfilter core team) believe this is the way to implement good support for transparent proxying. It's already the second completely independent implementation, let's merge it after all." -- - Harald Welte <[EMAIL PROTECTED]> http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
signature.asc
Description: Digital signature
