Patch: TPROXY support for listening sockets

David Kostal david.kostal at
Wed Oct 17 12:55:21 UTC 2012

this patch is _not_ meant to provide transparently IP of clients to
the backends.

It is meant to for nginx to be able to listen on non-local IP, as
replacement for (eg.) NATing of incomming connections to local port.
My setups use LVS with direct routing and real-servers without the
public IPs, using NAT. However the problem I'm facing is IPv6 and one
option is to use TPROXY sockets to listen to (possibly large number
of) non-local IPs.

Would you recommend some other solution or is this TPROXY patch fine?


On Fri, Jun 15, 2012 at 7:56 AM, David Kostal <david.kostal at> wrote:
> Hi all,
> I just run into the need to have nginx support the Linux TPROXY
> feature: there is not REDIRECT target for IPv6. As there is no support
> for TPROXY in nginx I created a small patch for core & http modules
> against 1.2.1. It's enabled by recompiling nginx with --with-tproxy
> and activating it by adding "tproxy" as an additional argument to
> listen.
> Unfortunately it is not possible to enable/disable tproxy behavior for
> existing sockets during reload, only on startup or when reload adds
> new listening sockets. This is due to fact that the setsockopt() call
> must be done before bind().
> Please have a look, so far it works for me but I did not do yet any
> heavy testing and it's not production yet:)
> david.kostal at
> ----+

david.kostal at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx-tproxy.patch
Type: application/octet-stream
Size: 5619 bytes
Desc: not available
URL: <>

More information about the nginx mailing list