On Mon, Jul 09, 2018 at 05:40:38PM +0200, Pablo Neira Ayuso wrote:
> Hi Máté,
>
> On Thu, Jun 28, 2018 at 06:42:58PM +0200, Máté Eckl wrote:
> > v2:
> > - address or port is now compulsory
> > - nf_defrag_ipv{4,6}_enable called in init
> > - nft_tproxy now selects NF_DEFRAG_IPV4/6
> > - Add transport header presence test in ipv4 eval (in ipv6 it was
> > already present)
> > - Add check for the case when address is specified but the rule family
> > is not set accordingly
> >
> > -- 8< --
> > A great portion of the code is taken from xt_TPROXY.c
> >
> > There are some changes compared to the iptables implementation:
> > - tproxy statement is not terminal here
>
> Looks good to me, thanks.
I don't know how this works yet, but this code will fail to compile once
'netfilter: nf_tproxy: fix possible non-linear access to transport header' patch
is merged from the nf tree.
Also based on the '[PATCH] netfilter: NFT_SOCKET don't use NF_SOCKET_IPV6
without NF_TABLES_IPV6' thread I might need to change the IS_ENABLED macros to
NF_TABLES_IPV6 in a next version of the patch.
I'll have to change one anyways. So please wait for v4 patch before applying.
> Please, could you describe how you have tested the nft tproxy
> datapath? Did you run any example configuration to make sure things
> are working? If so, please slightly describe.
>
> Thanks.
I used the tcprdr [2] as a proxy software at point X, netcat (OpenBSD version
that can handle IPv6) as a server at point Z, and telnet as a clinet at point Y.
See the topology at [1].
The config of X was the following:
# ip rule add fwmark 1 lookup 100
# ip route add local 0.0.0.0/0 dev lo table 100
# ip -6 rule add fwmark 1 lookup 100
# ip -6 route add local ::/0 dev lo table 100
# nft -f testrules
# cat testrules
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
meta l4proto tcp socket transparent 1 mark set 0x00000001 accept
tcp dport http tproxy to :50080 mark set 0x00000001 accept
}
}
# ./tcprdr -4 -t -T 50080 192.0.2.130 80
and for ipv6
# ./tcprdr -6 -t -T 50080 2001:db8:0:1::2 80
Commands on Z:
# nc -l -p 80
and for ipv6
# nc -6 -l -p 80
Z also had routes to Y via X.
Commands on Y:
# telnet 192.0.2.3 80
# telnet 2001:db8:0:0::3 80
I also tried how it works when tproxy target address is specified (tcprdr -L can
be used for it) and protocol-specific cases too.
Proof at point X:
# ss -tpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.0.2.3:22 192.0.2.1:45006 users:(("sshd",pid=452,fd=3))
ESTAB 0 0 [2001:db8::3]:80 [2001:db8::1]:51900 users:(("tcprdr",pid=534,fd=4))
ESTAB 0 0 [2001:db8::1]:51900 [2001:db8:0:1::2]:80 users:(("tcprdr",pid=534,fd=5))
Regarding the code, I added some checks to during the debugging which could
occur with a non-nft frontend, but now they are checked.
[1]:
IPv4:
+---+ .129 .130 +---+
(proxy) | X |--------------------| Z | (server)
+---+ 192.0.2.128/25 +---+
| .3
|
| 192.0.2.0/25
|
| .1
+---+
| Y | (client)
+---+
IPv6:
+---+ :1 :2 +---+
(proxy) | X |--------------------| Z | (server)
+---+ 2001:db8:0:1::/64 +---+
| :3
|
| 2001:db8:0:0::/64
|
| :1
+---+
| Y | (client)
+---+
X and Z are VirtualBox VMs
[2]: https://git.breakpoint.cc/cgit/fw/tcprdr.git/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
