Once we agree on the syntax, I'll send the next version of the tests, too.
On Fri, Jun 29, 2018 at 04:38:47PM +0200, Máté Eckl wrote:
> v2:
> - tproxy statement without arguments is not supported
> - Add transport protocol matching criterion to address evaluation.
> - Specify network layer protocol in inet tables
>
> -- 8< --
> This patch adds support for transparent proxy functionality which is
> supported in ip, ip6 and inet tables.
>
> The syntax is the following:
> tproxy [{|ip|ip6}] to {<ip address>|:<port>|<ip address>:<port>}
>
> It looks for a socket listening on the specified address or port and
> assigns it to the matching packet.
>
> In an inet table, a packet matches for both families until address is
> specified.
> Network protocol family has to be specified **only** in inet tables if
> address is specified.
>
> As transparent proxy support is implemented for sockets with layer 4
> information, a transport protocol header criterion has to be set in the
> same rule. eg. 'meta l4proto tcp' or 'udp dport 4444'
>
> Example ruleset:
> table ip x {
> chain y {
> type filter hook prerouting priority -150; policy accept;
> tcp dport ntp tproxy to 1.1.1.1
> udp dport ssh tproxy to :2222
> }
> }
> table ip6 x {
> chain y {
> type filter hook prerouting priority -150; policy accept;
> tcp dport ntp tproxy to [dead::beef]
> udp dport ssh tproxy to :2222
> }
> }
> table inet x {
> chain y {
> type filter hook prerouting priority -150; policy accept;
> tcp dport 321 tproxy to :ssh
> tcp dport 99 tproxy ip to 1.1.1.1:999
> udp dport 155 tproxy ip6 to [dead::beef]:smux
> }
> }
>
> Signed-off-by: Máté Eckl <ecklm94@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
