Re: Attempting to use tproxy on Centos 8 fails with 'No such file or directory'

Nathan Coulson <nathan@xxxxxxxxxxxx> · Tue, 15 Oct 2019 12:16:50 -0700

On 2019-10-15 12:12 p.m., Nathan Coulson wrote:
I was working on a haproxy transparent proxy setup that we had working 
on Centos 7 (iptables), but running into issues getting tproxy working 
with NFTables on Centos 8.

From https://www.kernel.org/doc/Documentation/networking/tproxy.txt,

It should be a matter of:

# nft add table filter
# nft add chain filter divert "{ type filter hook prerouting priority 
-150; }"
# nft add rule filter divert meta l4proto tcp socket transparent 1 
meta mark set 1 accept

But when running the 3rd line (add rule), I get

root@kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add 
rule filter divert meta l4proto tcp socket transparent 1 meta mark set 
1 accept
Error: Could not process rule: No such file or directory
add rule filter divert meta l4proto tcp socket transparent 1 meta mark 
set 1 accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 

(In attempting to resolve this, I did the following)

modprobe nf_tproxy_ipv4
modprobe nf_tproxy_ipv6
modprobe nf_socket_ipv4
modprobe nf_socket_ipv6

I also noted that:
nft add rule filter divert meta l4proto tcp  meta mark set 1 accept 
(Removing socket transparent 1)

does not exit with a failure.

Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which 
did make reference to the nftables version 0.9.0 possibly missing 
support, I have not tried compiling 0.9.1 yet,  but I find it curious 
the entire line fails with 'socket transparent 1' making me wonder if 
it is a missing module still)

Adding to this:  just did a loop through the netfilter modules to see if 
something was missing (no change)

for x in $(find /lib/modules/4.18.0-80.11.2.el8_0.x86_64  | grep 
netfilter | sed 's/.*netfilter.//' | sed 's/\.ko.*$//' | sort); do
echo ">>>>>>$x<<<<<<<<"
  modprobe $x
  nft add rule filter divert meta l4proto tcp socket transparent 1 meta 
mark set 1 accept
done

--
Nathan Coulson
System Administrator for Bravenet Web Services
www.bravenet.com

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos