diff options
author | Balazs Scheidler <bazsi77@gmail.com> | 2020-08-29 09:04:01 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-08-29 13:16:46 +0200 |
commit | 945ac0677a6c73f31ec4ae21e89923570f8cb15a (patch) | |
tree | f2b86193bf8df9abe788f88afb9717a72ec892d4 /src/socket.c | |
parent | c156232a530b30b6668712eda22bc491b0900283 (diff) |
socket: add support for "wildcard" key
iptables had a "-m socket --transparent" which didn't match sockets that are
bound to all addresses (e.g. 0.0.0.0 for ipv4, and ::0 for ipv6). It was
possible to override this behavior by using --nowildcard, in which case it
did match zero bound sockets as well.
The issue is that nftables never included the wildcard check, so in effect
it behaved like "iptables -m socket --transparent --nowildcard" with no
means to exclude wildcarded listeners.
This is a problem as a user-space process that binds to 0.0.0.0:<port> that
enables IP_TRANSPARENT would effectively intercept traffic going in _any_
direction on the specific port, whereas in most cases, transparent proxies
would only need this for one specific address.
The solution is to add "socket wildcard" key to the nft_socket module, which
makes it possible to match on the wildcardness of a socket from
one's ruleset.
This is how to use it:
table inet haproxy {
chain prerouting {
type filter hook prerouting priority -150; policy accept;
socket transparent 1 socket wildcard 0 mark set 0x00000001
}
}
This patch effectively depends on its counterpart in the kernel.
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/socket.c')
-rw-r--r-- | src/socket.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/socket.c b/src/socket.c index d78a163a..673e5d0f 100644 --- a/src/socket.c +++ b/src/socket.c @@ -26,6 +26,12 @@ const struct socket_template socket_templates[] = { .len = 4 * BITS_PER_BYTE, .byteorder = BYTEORDER_HOST_ENDIAN, }, + [NFT_SOCKET_WILDCARD] = { + .token = "wildcard", + .dtype = &integer_type, + .len = BITS_PER_BYTE, + .byteorder = BYTEORDER_HOST_ENDIAN, + }, }; static void socket_expr_print(const struct expr *expr, struct output_ctx *octx) |