Subject: Re: Transparent Proxying
To: None <mmondor@gobot.ca>
From: None <itojun@iijlab.net>
List: tech-kern
Date: 05/14/2002 18:28:45
>Sorry for my last post which had unwrapped lines, so I am resending it
>with a better formatting now:
>
>Hi all,
>
>Is there a userspace facility on NetBSD which allows a TCP proxy daemon to
>spoof the source address for the life of a TCP connection to that of the
>actual internet client when connecting from a gateway to an internal
>service? This way the internal machine would see the connection as
>originating from the client rather than from the proxy gateway.

	though only for IPv6, we have this functionality implemented as
	faith(4) interface.  under the following condition:
	- sysctl net.inet6.ip6.keepfaith=1, 
	- listening socket has setsockopt(IPV6_FAITH) set,
	- a IPv6 packet gets routed to faith(4) interface
	the listening socket will hijack any inbound connection.

	i'm still not 100% sure if modelling it as an interface is the
	right thing to do. (for instance, faith(4) model does not handle
	link-local IPv6 address case)

	openbsd seem to have the functionality implemented as combination of
	PF packet filter and ftp-proxy(8).
	i guess you will want to check it out.

itojun