iptables TPROXY issues NF_ACCEPT while nftables tproxy allows for post-processing. Update examples. For more info, see: https://lore.kernel.org/netfilter-devel/ZuSh_Io3Yt8LkyUh@xxxxxxxxxxxxx/T/ Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- v3: small update to this example: +.Example ruleset for tproxy statement with logging and meta mark +------------------------------------- +table inet x { + chain y { + type filter hook prerouting priority mangle; policy accept; + udp dport 9999 goto { + tproxy to :1234 log prefix "packet tproxied: " meta mark set 1 accept + log prefix "no socket on port 1234 or not transparent?: " drop + } + } +} doc/statements.txt | 45 ++++++++++++++++++++++++++++++++++++++------- 1 file changed, 38 insertions(+), 7 deletions(-) diff --git a/doc/statements.txt b/doc/statements.txt index 5becf0cbdbcf..74af1d1a54e9 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -583,27 +583,58 @@ this case the rule will match for both families. table ip x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport ntp tproxy to 1.1.1.1 - udp dport ssh tproxy to :2222 + tcp dport ntp tproxy to 1.1.1.1 accept + udp dport ssh tproxy to :2222 accept } } table ip6 x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport ntp tproxy to [dead::beef] - udp dport ssh tproxy to :2222 + tcp dport ntp tproxy to [dead::beef] accept + udp dport ssh tproxy to :2222 accept } } table inet x { chain y { type filter hook prerouting priority mangle; policy accept; - tcp dport 321 tproxy to :ssh - tcp dport 99 tproxy ip to 1.1.1.1:999 - udp dport 155 tproxy ip6 to [dead::beef]:smux + tcp dport 321 tproxy to :22 accept + tcp dport 99 tproxy ip to 1.1.1.1:999 accept + udp dport 155 tproxy ip6 to [dead::beef]:smux accept } } ------------------------------------- +Note that the tproxy statement is non-terminal to allow post-processing of +packets. This allows packets to be logged for debugging as well as updating the +mark to ensure that packets are delivered locally through policy routing rules. + +.Example ruleset for tproxy statement with logging and meta mark +------------------------------------- +table inet x { + chain y { + type filter hook prerouting priority mangle; policy accept; + udp dport 9999 goto { + tproxy to :1234 log prefix "packet tproxied: " meta mark set 1 accept + log prefix "no socket on port 1234 or not transparent?: " drop + } + } +} +------------------------------------- + +As packet headers are unchanged, packets might be forwarded instead of delivered +locally. As mentioned above, this can be avoided by adding policy routing rules +and the packet mark. + +.Example policy routing rules for local redirection +---------------------------------------------------- +ip rule add fwmark 1 lookup 100 +ip route add local 0.0.0.0/0 dev lo table 100 +---------------------------------------------------- + +This is a change in behavior compared to the legacy iptables TPROXY target +which is terminal. To terminate the packet processing after the tproxy +statement, remember to issue a verdict as in the example above. + SYNPROXY STATEMENT ~~~~~~~~~~~~~~~~~~ This statement will process TCP three-way-handshake parallel in netfilter -- 2.30.2
