diff options
author | Máté Eckl <ecklm94@gmail.com> | 2018-08-01 20:01:47 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-08-03 12:17:31 +0200 |
commit | 029d9b3c16ae2354b6397c325a8dc389c67d970b (patch) | |
tree | a21057d2e8032c9e574933c3f24bb68605e28a4b /doc | |
parent | 7dfc5e6586286d72cc294a4a33acbbaa8d2f73ac (diff) |
doc: Add tproxy statement to man page
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/statements.txt | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/doc/statements.txt b/doc/statements.txt index bcf3cc23..38d9982f 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -356,6 +356,64 @@ add rule nat postrouting oif eth0 masquerade add rule nat prerouting tcp dport 22 redirect to :2222 ------------------------ +TPROXY STATEMENT +~~~~~~~~~~~~~~~~ +Tproxy redirects the packet to a local socket without changing the packet header +in any way. If any of the arguments is missing the data of the incoming packet +is used as parameter. Tproxy matching requires another rule that ensures the +presence of transport protocol header is specified. + +[verse] +tproxy to 'address' : 'port' +tproxy to {'address' | : 'port'} + +This syntax can be used in *ip/ip6* tables where network layer protocol is +obvious. Either ip address or port can be specified, but at least one of them is +necessary. + +[verse] +tproxy {ip | ip6} to 'address' [: 'port'] +tproxy to : 'port' + +This syntax can be used in *inet* tables. The *ip/ip6* parameter defines the +family the rule will match. The *address* parameter must be of this family. +When only *port* is defined, the address family should not be specified. In +this case the rule will match for both families. + +.tproxy attributes +[options="header"] +|================= +| Name | Description +| address | IP address the listening socket with IP_TRANSPARENT option is bound to. +| port | Port the listening socket with IP_TRANSPARENT option is bound to. +|================= + +.Example ruleset for tproxy statement +------------------------------------- +table ip x { + chain y { + type filter hook prerouting priority -150; policy accept; + tcp dport ntp tproxy to 1.1.1.1 + udp dport ssh tproxy to :2222 + } +} +table ip6 x { + chain y { + type filter hook prerouting priority -150; policy accept; + tcp dport ntp tproxy to [dead::beef] + udp dport ssh tproxy to :2222 + } +} +table inet x { + chain y { + type filter hook prerouting priority -150; policy accept; + tcp dport 321 tproxy to :ssh + tcp dport 99 tproxy ip to 1.1.1.1:999 + udp dport 155 tproxy ip6 to [dead::beef]:smux + } +} +------------------------------------- + FLOW OFFLOAD STATEMENT ~~~~~~~~~~~~~~~~~~~~~~ A flow offload statement allows us to select what flows you want to accelerate |