mån 2003-09-01 klockan 10.04 skrev cc:
> Henrik Nordstrom wrote:
>
> > Don't NAT, just route the packets via a different route (policy
> > routing).
>
> What do you mean?
What I say. If you want to redirect packets from a router to a cache
server do so by routing. DO NOT USE NAT for the purpose. If you use NAT
then you will loose functionality.
* Destination NAT breaks HTTP/1.0 clients
* Source NAT breaks access controls.
Routing does not change the packets, and thus does not break anything
assuming all packets belonging to the same session is routed properly.
> I'm in the midst of recompiling the kernel with Connmark module
> enabled. Perhaps this might be able to help me figure this transparent
> proxy out.
See Linux advanced routing howto for information on Linux policy
routing, and the CONNMARK documentation on how to use CONNMARK.
What CONNMARK adds which is not possible without is the ability to set a
mark on connections, not only packets. This allows the route policy to
apply to ICMP traffic etc belonging to the same session allowing
Path-MTU discovery to function.
Regards
Henrik
-- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, info@marasystems.comReceived on Mon Sep 01 2003 - 07:36:26 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:28 MST