On Sat, Aug 29, 2020 at 09:04:01AM +0200, Balazs Scheidler wrote:
> iptables had a "-m socket --transparent" which didn't match sockets that are
> bound to all addresses (e.g. 0.0.0.0 for ipv4, and ::0 for ipv6). It was
> possible to override this behavior by using --nowildcard, in which case it
> did match zero bound sockets as well.
>
> The issue is that nftables never included the wildcard check, so in effect
> it behaved like "iptables -m socket --transparent --nowildcard" with no
> means to exclude wildcarded listeners.
>
> This is a problem as a user-space process that binds to 0.0.0.0:<port> that
> enables IP_TRANSPARENT would effectively intercept traffic going in _any_
> direction on the specific port, whereas in most cases, transparent proxies
> would only need this for one specific address.
>
> The solution is to add "socket wildcard" key to the nft_socket module, which
> makes it possible to match on the wildcardness of a socket from
> one's ruleset.
>
> This is how to use it:
>
> table inet haproxy {
> chain prerouting {
> type filter hook prerouting priority -150; policy accept;
> socket transparent 1 socket wildcard 0 mark set 0x00000001
> }
> }
>
> This patch effectively depends on its counterpart in the kernel.
Applied, thanks.
