Hi Glen, It's been a while but I'll try to reply to your questions inline. Bests, Máté Glen Huang <heyhgl@xxxxxxxxx> ezt írta (időpont: 2023. máj. 14., V, 9:24): > > Hi, > > I think I mostly understand how TPROXY works, thanks to Máté’s super helpful article [1]. > > However, I still don’t understand how the "to address:port” part work. Given this rule: > > nft add rule nat prerouting iifname lan tproxy to 127.0.0.1:1234 meta mark set 1 accept > > And this policy based routing: > > ip rule add mark 1 lookup 100 > ip route add local default dev lo table 100 > > When does a packet arriving on “lan" get redirected to 127.0.0.1:1234? Is it before or after the routing decision? It seems it should be after, but from trace, it shows that the packet goes through the input chain and its iifname is lan. Since tproxy redirects it to 127.0.0.1, shouldn’t it be “lo" instead? The rule is added to the prerouting table so the rule is applied before the routing decision. It's exactly because otherwise you wouldn't be able to route it to the localhost. You can't make a routing decision after it's already been made. And even though you do the redirection, the interface it entered the system is still lan, not lo. (The firs i in iifname stands for input.) The output interface may be lo because that's where your proxy is probably listening, but it's not quite important in the tproxy rule. > > I wonder what the flow chart is like? My current guess is that packets arriving on “lan" first get routed to “lo", because of the mark and the policy routing, then tproxy redirects it to 127.0.0.1:1234, but again, this is probably wrong given iifname being lan. I also wonder do <addr> and <interface> have to match in "tproxy to <addr>:port “ and "dev <interface> table 100”? What the flow chart is like if they don’t? As far as I remember, your description is true except for the confusion around the iifname value. It's just the input interface. It doesn't change on routing. To be honest I'm not sure what the address is good for in the "tproxy to" part. Maybe it's useful if your proxy uses a listening address other than 0.0.0.0 or 127.0.0.1. So you could use "tproxy to 192.0.2.1" in case it's a local address too. What the routing interface would be in that case, I'm not sure. The examples in [2] only use a port number. Maybe someone else can halp you out with this more precisely. > > PS: In my case, lan is actually an XFRM interface, not sure if that matters. > > Could someone offer some pointers? Thanks in advance. > > [1] https://gsoc-blog.ecklm.com/iptables-redirect-vs.-dnat-vs.-tproxy/ [2]: https://www.kernel.org/doc/Documentation/networking/tproxy.txt
