Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > tproxy action must be terminal since the intent of the user to steal the > traffic and redirect to the port. > Align this behaviour to iptables to make it easier to migrate by issuing > NF_ACCEPT for packets that are redirect to userspace process socket. > Otherwise, NF_DROP packet if socket transparent flag is not set on. The nonterminal behaviour is intentional. This change will likely break existing setups. nft add rule filter divert tcp dport 80 tproxy to :50080 meta mark set 1 accept This is a documented example.
