Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > Hmm. Looking at nft_nat.c, 'accept' seems consistent with what nat > > statements do implicitly. > > Yes, and xt_TPROXY does NF_ACCEPT. > > On the other hand, I can see it does NF_DROP it socket is not > transparent, it does NFT_BREAK instead, so policy keeps evaluating the > packet. Yes, this is more flexible since you can log+drop for instance in next rule(s) to alert that proxy isn't running for example. > > > is this sufficient in your opinion? If so, I made this quick update > > > for man nft(8). > > > > Acked-by: Phil Sutter <phil@xxxxxx> > > > > In addition to that, I will update tproxy_tg_xlate() in iptables.git to > > emit a verdict, too. > > Thanks, this is very convenient. Agreed, it should append accept keyword in the translator.
