diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-09-16 00:34:27 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-09-17 21:26:51 +0200 |
| commit | 9a6a8626504f64d40126afd279d9526b6bbccc60 (patch) | |
| tree | c7fd2212ee4ff429ec1d5734b4897ad4b74ebfcd | |
| parent | 1a4e7c6fd6b5f4b3fd2fa38eacc92cf3d1a3717f (diff) | |
doc: tproxy is non-terminal in nftables
iptables TPROXY issues NF_ACCEPT while nftables tproxy allows for
post-processing. Update examples. For more info, see:
https://lore.kernel.org/netfilter-devel/ZuSh_Io3Yt8LkyUh@orbyte.nwl.cc/T/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | doc/statements.txt | 45 |
1 files changed, 38 insertions, 7 deletions
diff --git a/doc/statements.txt b/doc/statements.txt index 5becf0cb..74af1d1a 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -583,27 +583,58 @@ this case the rule will match for both families. table ip x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport ntp tproxy to 1.1.1.1 - udp dport ssh tproxy to :2222 + tcp dport ntp tproxy to 1.1.1.1 accept + udp dport ssh tproxy to :2222 accept } } table ip6 x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport ntp tproxy to [dead::beef] - udp dport ssh tproxy to :2222 + tcp dport ntp tproxy to [dead::beef] accept + udp dport ssh tproxy to :2222 accept } } table inet x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport 321 tproxy to :ssh - tcp dport 99 tproxy ip to 1.1.1.1:999 - udp dport 155 tproxy ip6 to [dead::beef]:smux + tcp dport 321 tproxy to :22 accept + tcp dport 99 tproxy ip to 1.1.1.1:999 accept + udp dport 155 tproxy ip6 to [dead::beef]:smux accept } } ------------------------------------- +Note that the tproxy statement is non-terminal to allow post-processing of +packets. This allows packets to be logged for debugging as well as updating the +mark to ensure that packets are delivered locally through policy routing rules. + +.Example ruleset for tproxy statement with logging and meta mark +------------------------------------- +table inet x { + chain y { + type filter hook prerouting priority mangle; policy accept; + udp dport 9999 goto { + tproxy to :1234 log prefix "packet tproxied: " meta mark set 1 accept + log prefix "no socket on port 1234 or not transparent?: " drop + } + } +} +------------------------------------- + +As packet headers are unchanged, packets might be forwarded instead of delivered +locally. As mentioned above, this can be avoided by adding policy routing rules +and the packet mark. + +.Example policy routing rules for local redirection +---------------------------------------------------- +ip rule add fwmark 1 lookup 100 +ip route add local 0.0.0.0/0 dev lo table 100 +---------------------------------------------------- + +This is a change in behavior compared to the legacy iptables TPROXY target +which is terminal. To terminate the packet processing after the tproxy +statement, remember to issue a verdict as in the example above. + SYNPROXY STATEMENT ~~~~~~~~~~~~~~~~~~ This statement will process TCP three-way-handshake parallel in netfilter |