iptables TPROXY issues NF_ACCEPT while nftables tproxy allows for post-processing. Update examples. For more info, see: https://lore.kernel.org/netfilter-devel/ZuSh_Io3Yt8LkyUh@xxxxxxxxxxxxx/T/ Acked-by: Phil Sutter <phil@xxxxxx> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- doc/statements.txt | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/doc/statements.txt b/doc/statements.txt index 5becf0cbdbcf..386505481d3a 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -583,27 +583,45 @@ this case the rule will match for both families. table ip x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport ntp tproxy to 1.1.1.1 - udp dport ssh tproxy to :2222 + tcp dport ntp tproxy to 1.1.1.1 accept + udp dport ssh tproxy to :2222 accept } } table ip6 x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport ntp tproxy to [dead::beef] - udp dport ssh tproxy to :2222 + tcp dport ntp tproxy to [dead::beef] accept + udp dport ssh tproxy to :2222 accept } } table inet x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport 321 tproxy to :ssh - tcp dport 99 tproxy ip to 1.1.1.1:999 - udp dport 155 tproxy ip6 to [dead::beef]:smux + tcp dport 321 tproxy to :ssh accept + tcp dport 99 tproxy ip to 1.1.1.1:999 accept + udp dport 155 tproxy ip6 to [dead::beef]:smux accept } } ------------------------------------- +Note that the tproxy statement is non-terminal to allow post-processing of +packets, such logging the packet for debugging. + +.Example ruleset for tproxy statement with logging +------------------------------------- +table t { + chain c { + type filter hook prerouting priority mangle; policy accept; + udp dport 9999 tproxy to :1234 log prefix "packet tproxied: " accept + log prefix "no socket on port 1234 or not transparent?: " drop + } +} +------------------------------------- + +This is a change in behavior compared to the legacy iptables TPROXY target +which is terminal. To terminate the packet processing after the tproxy +statement, remember to issue a verdict as in the example above. + SYNPROXY STATEMENT ~~~~~~~~~~~~~~~~~~ This statement will process TCP three-way-handshake parallel in netfilter -- 2.30.2
