[Bug 1398] tproxy rule is not matched for ip6

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sat Aug 1 09:08:02 CEST 2020


https://bugzilla.netfilter.org/show_bug.cgi?id=1398

Balazs Scheidler <bazsi77 at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bazsi77 at gmail.com

--- Comment #1 from Balazs Scheidler <bazsi77 at gmail.com> ---
tproxy is not doing NAT, so it would only match in case there's an open socket
with IP_TRANSPARENT setsockopt set:

       IP_TRANSPARENT (since Linux 2.6.24)
              Setting  this  boolean  option enables transparent proxying on
this socket.  This socket option allows the calling application to bind to a
nonlocal IP address and operate
              both as a client and a server with the foreign address as the
local endpoint.  NOTE: this requires that routing be set up in a  way  that 
packets  going  to  the  foreign
              address  are  routed through the TProxy box (i.e., the system
hosting the application that employs the IP_TRANSPARENT socket option). 
Enabling this socket option requires
              superuser privileges (the CAP_NET_ADMIN capability).

              TProxy redirection with the iptables TPROXY target also requires
that this option be set on the redirected socket.


If either the socket is not found or the flag is not set, it will just break
out
from the evaluation, thus the counters will not be processed.


quoting net/netfilter/nft_tproxy.c:

        if (sk && nf_tproxy_sk_is_transparent(sk))
                nf_tproxy_assign_sock(skb, sk);
        else
                regs->verdict.code = NFT_BREAK;

This might be a bit unintuitive as this is actually an "error" condition which
is not reported in any way:
the rule to be processed successfully needs the userspace daemon to be running.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200801/f42d6928/attachment.html>


More information about the netfilter-buglog mailing list