I was working on a haproxy transparent proxy setup that we had working
on Centos 7 (iptables), but running into issues getting tproxy working
with NFTables on Centos 8.
From https://www.kernel.org/doc/Documentation/networking/tproxy.txt,
It should be a matter of:
# nft add table filter
# nft add chain filter divert "{ type filter hook prerouting priority -150; }"
# nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept
But when running the 3rd line (add rule), I get
root@kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add rule
filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept
Error: Could not process rule: No such file or directory
add rule filter divert meta l4proto tcp socket transparent 1 meta mark
set 1 accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(In attempting to resolve this, I did the following)
modprobe nf_tproxy_ipv4
modprobe nf_tproxy_ipv6
modprobe nf_socket_ipv4
modprobe nf_socket_ipv6
I also noted that:
nft add rule filter divert meta l4proto tcp meta mark set 1 accept
(Removing socket transparent 1)
does not exit with a failure.
Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which
did make reference to the nftables version 0.9.0 possibly missing
support, I have not tried compiling 0.9.1 yet, but I find it curious
the entire line fails with 'socket transparent 1' making me wonder if it
is a missing module still)
--
Nathan Coulson
System Administrator for Bravenet Web Services
www.bravenet.com
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
