Package org.mockserver.netty.proxy

Class TproxyOriginalDestinationResolver

java.lang.Object

org.mockserver.netty.proxy.TproxyOriginalDestinationResolver

All Implemented Interfaces:

TransparentProxyHandler.OriginalDestinationResolver

public class TproxyOriginalDestinationResolver
extends Object
implements TransparentProxyHandler.OriginalDestinationResolver

Resolves the original destination of a transparently intercepted TCP connection using the TPROXY (IP_TRANSPARENT) mechanism.

With TPROXY iptables rules (as opposed to REDIRECT), the kernel preserves the original destination address as the socket's local address. The listener socket must be bound with the IP_TRANSPARENT socket option so the kernel allows binding to non-local addresses, and the iptables rules must use the -j TPROXY target instead of -j REDIRECT.

Resolution is trivial: channel.localAddress() returns the original destination directly (the pre-TPROXY destination). No conntrack table lookup or getsockopt(SO_ORIGINAL_DST) is needed.

Requirements:

• Linux with Netty epoll transport
• CAP_NET_ADMIN capability (for IP_TRANSPARENT setsockopt)
• TPROXY iptables rules instead of REDIRECT:

  
   iptables -t mangle -A PREROUTING -p tcp --dport <target-port> \
     -j TPROXY --tproxy-mark 0x1/0x1 --on-port <mockserver-port>
   ip rule add fwmark 1 lookup 100
   ip route add local 0.0.0.0/0 dev lo table 100
         

• The IP_TRANSPARENT socket option set on the listener socket (wired in MockServerIpTransparentHelper or via EpollChannelOption.IP_TRANSPARENT)
• Configuration flag: mockserver.transparentProxyTproxy=true

Chain position: in the CompositeOriginalDestinationResolver default chain, TPROXY is placed first (before SO_ORIGINAL_DST and conntrack). When TPROXY mode is active, the local address is the authoritative original destination; when inactive, this resolver returns null and the chain falls through to SO_ORIGINAL_DST / conntrack.

Difference from REDIRECT: with REDIRECT, the socket's local address is the MockServer listen address (the redirect target), so channel.localAddress() is useless for original-destination recovery. With TPROXY, the local address IS the original destination.

See Also:

• CompositeOriginalDestinationResolver
• TransparentProxyHandler

Constructor Summary

Constructors

Constructor	Description
TproxyOriginalDestinationResolver(Configuration configuration)	Creates a TPROXY resolver that checks whether TPROXY mode is active via the given configuration.

Method Summary

Modifier and Type	Method	Description
InetSocketAddress	resolve(io.netty.channel.Channel channel)	Resolves the original destination by reading the channel's local address.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

TproxyOriginalDestinationResolver

public TproxyOriginalDestinationResolver(Configuration configuration)

Creates a TPROXY resolver that checks whether TPROXY mode is active via the given configuration.

Parameters:

configuration - the MockServer configuration (used to read transparentProxyTproxy)

Method Details

resolve

public InetSocketAddress resolve(io.netty.channel.Channel channel)

Resolves the original destination by reading the channel's local address.

Returns null when:

• TPROXY mode is not enabled in configuration
• The channel's local address is null or not an InetSocketAddress

Specified by:

resolve in interface TransparentProxyHandler.OriginalDestinationResolver

Parameters:

channel - the accepted Netty channel

Returns:

the original destination (from the local address), or null