Signed-off-by: Máté Eckl <ecklm94@xxxxxxxxx>
---
doc/nft.xml | 119 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 119 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index ef1b2c4..0cf3dcc 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -5341,6 +5341,125 @@ add rule nat prerouting tcp dport 22 redirect to :2222
</para>
</refsect2>
+ <refsect2>
+ <title>tproxy statements</title>
+ <para>
+ Tproxy redirects the packet to a local socket
+ without changing the packet header in any way.
+ If any of the arguments is missing the data of
+ the incoming packet is used as parameter.
+ Tproxy matching requires another rule that ensures
+ the presence of transport protocol header is specified.
+ </para>
+ <para>
+ <cmdsynopsis>
+ <command>tproxy</command>
+ <arg choice="none">to</arg>
+ <arg choice="none"><replaceable>address</replaceable></arg>
+ <arg choice="none">:<replaceable>port</replaceable></arg>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>tproxy</command>
+ <arg choice="none">to</arg>
+ <group choice="req">
+ <arg><replaceable>address</replaceable></arg>
+ <arg>:<replaceable>port</replaceable></arg>
+ </group>
+ </cmdsynopsis>
+ </para>
+ <para>
+ This syntax can be used in <literal>ip/ip6</literal> tables where
+ network layer protocol is obvious. Either ip address or port can
+ be specified, but at least one of them is necessary.
+ </para>
+ <para>
+ <cmdsynopsis>
+ <command>tproxy</command>
+ <group choice="req">
+ <arg>ip</arg>
+ <arg>ip6</arg>
+ </group>
+ <arg choice="none">to</arg>
+ <arg choice="none"><replaceable>address</replaceable></arg>
+ <arg choice="opt" >:<replaceable>port</replaceable></arg>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>tproxy</command>
+ <arg choice="none">to</arg>
+ <arg choice="none" >:<replaceable>port</replaceable></arg>
+ </cmdsynopsis>
+ </para>
+ <para>
+ This syntax can be used in <literal>inet</literal> tables. The
+ <literal>ip/ip6</literal> parameter defines the family the rule
+ will match. The <literal>address</literal> parameter must be of
+ this family.
+ When only <literal>port</literal> is defined, the address family
+ should not be specified. In this case the rule will match for both
+ families.
+ </para>
+ <para>
+ <table frame="all">
+ <title>tproxy attributes</title>
+ <tgroup cols='2' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1'/>
+ <colspec colname='c2'/>
+ <thead>
+ <row>
+ <entry>Name</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>address</entry>
+ <entry>
+ IP address the listening socket with IP_TRANSPARENT
+ option is bound to.
+ </entry>
+ </row>
+ <row>
+ <entry>port</entry>
+ <entry>
+ Port the listening socket with IP_TRANSPARENT
+ option is bound to.
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+ <para>
+ <example>
+ <title>Example ruleset for tproxy statement</title>
+ <programlisting>
+table ip x {
+ chain y {
+ type filter hook prerouting priority -150; policy accept;
+ tcp dport ntp tproxy to 1.1.1.1
+ udp dport ssh tproxy to :2222
+ }
+}
+table ip6 x {
+ chain y {
+ type filter hook prerouting priority -150; policy accept;
+ tcp dport ntp tproxy to [dead::beef]
+ udp dport ssh tproxy to :2222
+ }
+}
+table inet x {
+ chain y {
+ type filter hook prerouting priority -150; policy accept;
+ tcp dport 321 tproxy to :ssh
+ tcp dport 99 tproxy ip to 1.1.1.1:999
+ udp dport 155 tproxy ip6 to [dead::beef]:smux
+ }
+}
+ </programlisting>
+ </example>
+ </para>
+ </refsect2>
+
<refsect2>
<title>Flow offload statement</title>
<para>
--
ecklm
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
