A most likely difficult and not currently existing feature request:
What I can do...
on a router, I can (easily) redirect all traffic on a given port except
that from special interface to a given server (on that interface)
ie, on all but interface gig0/0.666 (dot1q 666) redirect all traffic on
port Y to a server on gig0/0.666, a /30 dot1q VLAN
on that host, use a "redirect" target to intercept all traffic to port Y
What I'd like to then do...
be able to create a distinct outgoing connection and specify to the kernel
"this connection pairs with incoming connection X", and then have the
kernel generate traffic to another server at port Y from the same source IP
of the original connection (previously mentioned router config will assure
the return traffic is also offloaded to the interception host)
Another way to deploy would be using a Linux box as a bridge with symmetric
traffic flows across it, similar to how layer 4 switches work in
"no-source-rewrite" mode (only you could run the proxy on the same server
as is doing the interception).
What this could be used to fix but isn't actually what I'm working on is
transparent proxies (only in the statically mapped client:proxy proxy case,
as there's no indication of which proxy to return to in a round robin case)
and IP-based authentication.
The problem I'm actually working on is how to transparently proxy a protocol
which creates end to end connections in each direction and could be
significantly accelerated by a smart enough proxy (although the proxy would
have to do things like block md5 checksums for duplicate detection as it
would be a proxy for a download protocol with a lot of duplicates where
intelligent clients do multi-sourced range requests and combine the results).
Perhaps the "real" solution would be to be able to bind a socket to an
IP which isn't on the box in question, knowing that the traffic flow in
question would return to the box? This would need a special flag of some
kind as it's not something you'd generally want to be possible by
accident, and similarly it would want to require root privilege to do
something so twisted. Dynamically adding IP aliases is not useful as it
would prevent the traffic on the client sockets from properly flowing back
to the real source hosts. Another solution might be to add outbound NAT
rules on the fly for each connection, but that means manual tear-down for
each connection (and daemon crash -> static NAT rule pollution).
David.
--
David Luyer Phone: +61 3 9674 7525
Network Development Manager P A C I F I C Fax: +61 3 9699 8693
Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 BYTE
http://www.pacific.net.au/ NASDAQ: PCNTF
