Re: Attempting to use tproxy on Centos 8 fails with 'No such file or directory'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 2019-10-15 12:46 p.m., Ljubomir Ljubojevic wrote:
On 10/15/19 9:16 PM, Nathan Coulson wrote:
On 2019-10-15 12:12 p.m., Nathan Coulson wrote:
I was working on a haproxy transparent proxy setup that we had working
on Centos 7 (iptables), but running into issues getting tproxy working
with NFTables on Centos 8.

 From https://www.kernel.org/doc/Documentation/networking/tproxy.txt,

It should be a matter of:

# nft add table filter
# nft add chain filter divert "{ type filter hook prerouting priority
-150; }"
# nft add rule filter divert meta l4proto tcp socket transparent 1
meta mark set 1 accept

But when running the 3rd line (add rule), I get

root@kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add
rule filter divert meta l4proto tcp socket transparent 1 meta mark set
1 accept
Error: Could not process rule: No such file or directory
add rule filter divert meta l4proto tcp socket transparent 1 meta mark
set 1 accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


(In attempting to resolve this, I did the following)

modprobe nf_tproxy_ipv4
modprobe nf_tproxy_ipv6
modprobe nf_socket_ipv4
modprobe nf_socket_ipv6

I also noted that:
nft add rule filter divert meta l4proto tcp  meta mark set 1 accept
(Removing socket transparent 1)

does not exit with a failure.

Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which
did make reference to the nftables version 0.9.0 possibly missing
support, I have not tried compiling 0.9.1 yet,  but I find it curious
the entire line fails with 'socket transparent 1' making me wonder if
it is a missing module still)


Adding to this:  just did a loop through the netfilter modules to see if
something was missing (no change)

for x in $(find /lib/modules/4.18.0-80.11.2.el8_0.x86_64  | grep
netfilter | sed 's/.*netfilter.//' | sed 's/\.ko.*$//' | sort); do
echo ">>>>>>$x<<<<<<<<"
   modprobe $x
   nft add rule filter divert meta l4proto tcp socket transparent 1 meta
mark set 1 accept
done


How is that solved for Fedora 28 that CentOS 8 is based on?

I can't say,

The ticket itself was obviously the same issue, (I want to say, that socket/tproxy nft modules were unloaded for the ticket owner),  but the modules in centos 8 are a touch different from what is described in the ticket (not sure what they are without more research, but I was suspecting that xt_TPROXY and xt_socket was what I may need, but didn't help).

It also made reference to nftables needing to be 0.9.1 vs 0.9.0, but I did note the entire line was shown wrong , and that it does seem to take 'socket transparent 1' as a valid argument to that line  (removing transparent 1, says it expects transparent to follow socket).  So don't know how much that contributes.

(and then transformed into kernel crashes when those nft rules were added, which is at least currently not part of the issue)

Gut feeling would be a missing module, but I feel like I am missing part of the puzzle for this.

--
Nathan Coulson
System Administrator for Bravenet Web Services
www.bravenet.com

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux