Support getting backend address from packet header when in transparent proxy mode

[akorn]

I use sniproxy to hide a long fat network from local clients; they think they connect to remote servers but I redirect their connections to sniproxy using iptables.

This works for clients that send SNI, but not for the ones that don't.

With iptables TPROXY, I could redirect the packets to sniproxy without changing them, so that sniproxy could obtain the desired destination IP from the packet header instead of relying on SNI. Can you add this please?

[dlundquist]

@akorn SNIproxy currently supports using IP_TRANSPARENT in conjunction with iptables to impersonate the original client address (see tests/transparent_proxy_test). Using it as a general purpose byte pump learning the ultimate destination from the initial TCP connection is interesting, but I wonder if there already exists a proxy for this purpose? Is there a reason you are looking at SNIproxy to fill this role?

This could be implemented in accept_connection() using IP_PKTINFO to obtain the destination address, and then the connection to transition immediately to the RESOLVED state. How were you envisioning this interacting with the existing parsing of TLS and HTTP protocols? Did you envision the table lookup playing a role in the selection of an ultimate destination?

[akorn]

Yes, sorry, I wasn't too clear.

I was thinking the IP_TRANSPARENT option could be a sort of last resort fallback when the client doesn't send SNI. So if there is SNI, I'd use that, and if there isn't, fall back to using the destination IP (and port) the client tried to connect to.