Hi All, I've been working on implementing tproxy matching to nftables, and I'd like you to comment on the planned syntax and possibilities. Basically I have planned an interface similar to nat statements with some restrictions. tproxy [<ip(v6) address>][:<port>] The restrictions (I can tell now): - No ranges would be allowed: In some nat situatios it can be useful, but I don't see the use-case where ranges would be necessary in either the address or port as they are local destination data. - I wouldn't allow host names or protocol names in the expressions (however, for now, I'm not sure, how to implement this restriction), as these are all local data. I plan to introduce this feature to ip/ip6/inet tables, and a syntax question has came up regarding this. In ip/ip6, the family to forward to (and match to) is trivial, but in inet it is not. One possibility is to describe the protocol in the statement like `tproxy (ip|ip6) ...`. This can be necessary when using host names, but I think unnecessary if only canonical address format is accepted. Another possibility is to figure out the family based on the given address, this seems to be feasible in the netlink_delinearize part and is sufficient if only canonical addresses are accepted. A third option may be the mixture of the first two. Families of the canonical addresses are figured out, and protocol specification is required when hostname is used. I think if it is possible to avoid explicit protocol specification in the command, we should avoid it. A specific family would be passed to the kernel in each case. What do you think about these? Regards, Máté -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
