Abusing Linux's firewall: the hack that allowed us to build Spectrum

Cloudflare has introduced Spectrum, a new feature that brings DDoS protection, load balancing, and content acceleration to any TCP-based protocol. The development of Spectrum faced technical challenges due to Linux's limitations in accepting connections on any valid TCP port from 1 to 65535. To overcome these issues, Cloudflare employed the "AnyIP" trick, which allows assigning whole IP prefixes (subnets) to the loopback interface, and utilized TPROXY iptables module for socket dispatch. These solutions enabled Spectrum to operate smoothly on the vanilla kernel without requiring any custom kernel patches.