On Tue, Aug 18, 2020 at 01:25:45AM +0200, Nirgal Vourgère wrote:
> Maybe there's some magic in the old transparent module, that silently add some conditions?
Balazs cannot reply to the mailing list for some reason. He sent me
this privately:
"The original iptables "socket" match had an extra check so that it wouldn't
match listener sockets, at least by default (that is if --nowildcard is not
specified).
I don't see however how "outbound masqueraded connection" could be
impacted. The "socket transparent 1" expression should require that the
socket being matched has IP_TRANSPARENT setsockopt set. Are those
connections also initiated by haproxy?
In any case, I think the check to ignore wildcard bound listener sockets is
definitely missing, however I am not sure how to properly add it to
nftables. If I added it to the socket match implementation that might break
a few currently well behaving use-cases.
This is the check that is in iptables -m socket:
wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) &&
sk_fullsock(sk) &&
inet_sk(sk)->inet_rcv_saddr == 0);
And then if --transparent is used, these sockets are not accepted / the
rule does not match."
