| Message ID | 20240915224528.158198-1-pablo@netfilter.org |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [nft] doc: tproxy is non-terminal in nftables | expand |
Pablo Neira Ayuso <pablo@netfilter.org> wrote: > ------------------------------------- > +Note that the tproxy statement is non-terminal to allow post-processing of > +packets, such logging the packet for debugging. > + > +.Example ruleset for tproxy statement with logging > +------------------------------------- > +table t { > + chain c { > + type filter hook prerouting priority mangle; policy accept; > + udp dport 9999 tproxy to :1234 log prefix "packet tproxied: " accept > + log prefix "no socket on port 1234 or not transparent?: " drop > + } I'd suggest to use anon chain here: udp dport 9999 goto { tproxy to :1234 log prefix "packet tproxied: " accept log prefix "no socket on port 1234 or not transparent?: " drop } I also think it might make sense to merge/add bits from the kernel documentation file. (Documentation/networking/tproxy.rst). None of these examples will work in case the destination IP is going to be forwarded, the example only works for port "redirect". Maybe: +As packet headers are unchanged, packets might be forwarded instead of delivered +locally. This can be avoided by adding policy routing rules and the packet mark. + +.Example policy routing rules for local redirection: +---------------------------------------------------- +ip rule add fwmark 1 lookup 100 +ip route add local 0.0.0.0/0 dev lo table 100 +---------------------------------------------------- + +Then, add "mark set 1" right after the "tproxy statement". I'm not sure how verbose it should be, tproxy is complicated due to how its interacting with routing engine, even application needs to do special things (IP_TRANSPARENT sockopt). Maybe examples should also include "meta mark set 1" bit? > +This is a change in behavior compared to the legacy iptables TPROXY target > +which is terminal. To terminate the packet processing after the tproxy > +statement, remember to issue a verdict as in the example above. Agree, it makes sense to add this.
diff --git a/doc/statements.txt b/doc/statements.txt index 5becf0cbdbcf..386505481d3a 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -583,27 +583,45 @@ this case the rule will match for both families. table ip x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport ntp tproxy to 1.1.1.1 - udp dport ssh tproxy to :2222 + tcp dport ntp tproxy to 1.1.1.1 accept + udp dport ssh tproxy to :2222 accept } } table ip6 x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport ntp tproxy to [dead::beef] - udp dport ssh tproxy to :2222 + tcp dport ntp tproxy to [dead::beef] accept + udp dport ssh tproxy to :2222 accept } } table inet x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport 321 tproxy to :ssh - tcp dport 99 tproxy ip to 1.1.1.1:999 - udp dport 155 tproxy ip6 to [dead::beef]:smux + tcp dport 321 tproxy to :ssh accept + tcp dport 99 tproxy ip to 1.1.1.1:999 accept + udp dport 155 tproxy ip6 to [dead::beef]:smux accept } } ------------------------------------- +Note that the tproxy statement is non-terminal to allow post-processing of +packets, such logging the packet for debugging. + +.Example ruleset for tproxy statement with logging +------------------------------------- +table t { + chain c { + type filter hook prerouting priority mangle; policy accept; + udp dport 9999 tproxy to :1234 log prefix "packet tproxied: " accept + log prefix "no socket on port 1234 or not transparent?: " drop + } +} +------------------------------------- + +This is a change in behavior compared to the legacy iptables TPROXY target +which is terminal. To terminate the packet processing after the tproxy +statement, remember to issue a verdict as in the example above. + SYNPROXY STATEMENT ~~~~~~~~~~~~~~~~~~ This statement will process TCP three-way-handshake parallel in netfilter