Why tproxy to 127.0.0.1:port doesn't make packets go through the input chain with iifname lo?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I think I mostly understand how TPROXY works, thanks to Máté’s super helpful article [1].

However, I still don’t understand how the "to address:port” part work. Given this rule:

nft add rule nat prerouting iifname lan tproxy to 127.0.0.1:1234 meta mark set 1 accept

And this policy based routing:

ip rule add mark 1 lookup 100
ip route add local default dev lo table 100

When does a packet arriving on “lan" get redirected to 127.0.0.1:1234? Is it before or after the routing decision? It seems it should be after, but from trace, it shows that the packet goes through the input chain and its iifname is lan. Since tproxy redirects it to 127.0.0.1, shouldn’t it be “lo" instead?

I wonder what the flow chart is like? My current guess is that packets arriving on “lan" first get routed to “lo", because of the mark and the policy routing, then tproxy redirects it to 127.0.0.1:1234, but again, this is probably wrong given iifname being lan. I also wonder do <addr> and <interface> have to match in "tproxy to <addr>:port “ and "dev <interface> table 100”? What the flow chart is like if they don’t?

PS: In my case, lan is actually an XFRM interface, not sure if that matters.

Could someone offer some pointers? Thanks in advance.

[1] https://gsoc-blog.ecklm.com/iptables-redirect-vs.-dnat-vs.-tproxy/



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux