From patchwork Fri Sep 13 10:20:23 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pablo Neira Ayuso <pablo@netfilter.org>
X-Patchwork-Id: 1985142
Return-Path: 
 <netfilter-devel+bounces-3858-incoming=patchwork.ozlabs.org@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org
 (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org;
 envelope-from=netfilter-devel+bounces-3858-incoming=patchwork.ozlabs.org@vger.kernel.org;
 receiver=patchwork.ozlabs.org)
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org
 [IPv6:2604:1380:40f1:3f00::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4r185plmz1y2H
	for <incoming@patchwork.ozlabs.org>; Fri, 13 Sep 2024 20:20:44 +1000 (AEST)
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 33EA6B2495F
	for <incoming@patchwork.ozlabs.org>; Fri, 13 Sep 2024 10:20:44 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id A393C1C1AD6;
	Fri, 13 Sep 2024 10:20:39 +0000 (UTC)
X-Original-To: netfilter-devel@vger.kernel.org
Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id D9BCE1272A6
	for <netfilter-devel@vger.kernel.org>; Fri, 13 Sep 2024 10:20:34 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=217.70.188.207
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1726222839; cv=none;
 b=MpKcFcVkvQwR8gOCNLgD9TBYIMB0uw9rlNpX42/Fy5VGKH05Jv8tJoR+kknDkZDhfP520URl5TijdFQdjqArj1cfnslslGqkeN30OOXEO0qMlluO989K20zlDjNJt0eVS00BVc4bs8z40J+3+asDim3Tic1nxxhXVVE5R5MkOXU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1726222839; c=relaxed/simple;
	bh=dHnt1p3WXz14t+0xciY+pxeGUIuLcByYpm6QwWgEC1Q=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=F+HxFyFbUhSECBwIgYd/vsR2bTmgOJ4binYq0QRhfH2buhU5XLFEmmJCCCG1TJQDwdijN9WIP24AjjjIzJ26zCPbNnOFPC8HZf5feuPnI1ZQZxCcsvudQHvL2jiPYuHMbfsFMBwJ9bcpAVHhqtyDTLnIPAvbjZ7ZM5eZ/vuAvhA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=netfilter.org;
 spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=netfilter.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=netfilter.org
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: antonio.ojea.garcia@gmail.com,
	phil@nwl.cc
Subject: [PATCH nf] netfilter: nft_tproxy: make it terminal
Date: Fri, 13 Sep 2024 12:20:23 +0200
Message-Id: <20240913102023.3948-1-pablo@netfilter.org>
X-Mailer: git-send-email 2.30.2
Precedence: bulk
X-Mailing-List: netfilter-devel@vger.kernel.org
List-Id: <netfilter-devel.vger.kernel.org>
List-Subscribe: <mailto:netfilter-devel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netfilter-devel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

tproxy action must be terminal since the intent of the user to steal the
traffic and redirect to the port.

Align this behaviour to iptables to make it easier to migrate by issuing
NF_ACCEPT for packets that are redirect to userspace process socket.
Otherwise, NF_DROP packet if socket transparent flag is not set on.

Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
Reported-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Phil Sutter <phil@nwl.cc>
---
 net/netfilter/nft_tproxy.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
index 71412adb73d4..f3b563c379d8 100644
--- a/net/netfilter/nft_tproxy.c
+++ b/net/netfilter/nft_tproxy.c
@@ -74,10 +74,13 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,
 					   skb->dev, NF_TPROXY_LOOKUP_LISTENER);
 	}
 
-	if (sk && nf_tproxy_sk_is_transparent(sk))
+	if (sk && nf_tproxy_sk_is_transparent(sk)) {
 		nf_tproxy_assign_sock(skb, sk);
-	else
-		regs->verdict.code = NFT_BREAK;
+		regs->verdict.code = NF_ACCEPT;
+		return;
+	}
+
+	regs->verdict.code = NF_DROP;
 }
 
 #if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
@@ -147,10 +150,13 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,
 	}
 
 	/* NOTE: assign_sock consumes our sk reference */
-	if (sk && nf_tproxy_sk_is_transparent(sk))
+	if (sk && nf_tproxy_sk_is_transparent(sk)) {
 		nf_tproxy_assign_sock(skb, sk);
-	else
-		regs->verdict.code = NFT_BREAK;
+		regs->verdict.code = NF_ACCEPT;
+		return;
+	}
+
+	regs->verdict.code = NF_DROP;
 }
 #endif