diff options
| -rw-r--r-- | doc/statements.txt | 45 |
1 files changed, 38 insertions, 7 deletions
diff --git a/doc/statements.txt b/doc/statements.txt index 5becf0cb..74af1d1a 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -583,27 +583,58 @@ this case the rule will match for both families. table ip x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport ntp tproxy to 1.1.1.1 - udp dport ssh tproxy to :2222 + tcp dport ntp tproxy to 1.1.1.1 accept + udp dport ssh tproxy to :2222 accept } } table ip6 x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport ntp tproxy to [dead::beef] - udp dport ssh tproxy to :2222 + tcp dport ntp tproxy to [dead::beef] accept + udp dport ssh tproxy to :2222 accept } } table inet x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport 321 tproxy to :ssh - tcp dport 99 tproxy ip to 1.1.1.1:999 - udp dport 155 tproxy ip6 to [dead::beef]:smux + tcp dport 321 tproxy to :22 accept + tcp dport 99 tproxy ip to 1.1.1.1:999 accept + udp dport 155 tproxy ip6 to [dead::beef]:smux accept } } ------------------------------------- +Note that the tproxy statement is non-terminal to allow post-processing of +packets. This allows packets to be logged for debugging as well as updating the +mark to ensure that packets are delivered locally through policy routing rules. + +.Example ruleset for tproxy statement with logging and meta mark +------------------------------------- +table inet x { + chain y { + type filter hook prerouting priority mangle; policy accept; + udp dport 9999 goto { + tproxy to :1234 log prefix "packet tproxied: " meta mark set 1 accept + log prefix "no socket on port 1234 or not transparent?: " drop + } + } +} +------------------------------------- + +As packet headers are unchanged, packets might be forwarded instead of delivered +locally. As mentioned above, this can be avoided by adding policy routing rules +and the packet mark. + +.Example policy routing rules for local redirection +---------------------------------------------------- +ip rule add fwmark 1 lookup 100 +ip route add local 0.0.0.0/0 dev lo table 100 +---------------------------------------------------- + +This is a change in behavior compared to the legacy iptables TPROXY target +which is terminal. To terminate the packet processing after the tproxy +statement, remember to issue a verdict as in the example above. + SYNPROXY STATEMENT ~~~~~~~~~~~~~~~~~~ This statement will process TCP three-way-handshake parallel in netfilter |