tproxy action must be terminal since the intent of the user to steal the
traffic and redirect to the port.
Align this behaviour to iptables to make it easier to migrate by issuing
NF_ACCEPT for packets that are redirect to userspace process socket.
Otherwise, NF_DROP packet if socket transparent flag is not set on.
Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
Reported-by: Antonio Ojea <antonio.ojea.garcia@xxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
net/netfilter/nft_tproxy.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
index 71412adb73d4..f3b563c379d8 100644
--- a/net/netfilter/nft_tproxy.c
+++ b/net/netfilter/nft_tproxy.c
@@ -74,10 +74,13 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,
skb->dev, NF_TPROXY_LOOKUP_LISTENER);
}
- if (sk && nf_tproxy_sk_is_transparent(sk))
+ if (sk && nf_tproxy_sk_is_transparent(sk)) {
nf_tproxy_assign_sock(skb, sk);
- else
- regs->verdict.code = NFT_BREAK;
+ regs->verdict.code = NF_ACCEPT;
+ return;
+ }
+
+ regs->verdict.code = NF_DROP;
}
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
@@ -147,10 +150,13 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,
}
/* NOTE: assign_sock consumes our sk reference */
- if (sk && nf_tproxy_sk_is_transparent(sk))
+ if (sk && nf_tproxy_sk_is_transparent(sk)) {
nf_tproxy_assign_sock(skb, sk);
- else
- regs->verdict.code = NFT_BREAK;
+ regs->verdict.code = NF_ACCEPT;
+ return;
+ }
+
+ regs->verdict.code = NF_DROP;
}
#endif
--
2.30.2
