<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Transparent proxy support requires transport protocol match"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1686">1686</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Transparent proxy support requires transport protocol match

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>nftables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>git (please specify your HEAD)

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>x86_64

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>nft

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>pablo@netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>pablo@netfilter.org

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>me@black-desk.cn

          </td>

        </tr></table>

      <p>

        <div>

        <pre>black_desk says:

"""

I wrote a nft script:

❯ cat test.nft

table inet test {

        set protos {

                typeof meta l4proto;

                elements = { tcp, udp }

        }

        chain prerouting {

                type filter hook prerouting priority mangle; policy accept;

                meta l4proto @protos tproxy to :1088

        }

}

when I pass it to nft:

❯ sudo nft -f ./test.nft

./test.nft:8:38-52: Error: Transparent proxy support requires

transport protocol match

                meta l4proto @protos tproxy to :1088

                                     ^^^^^^^^^^^^^^^

But it will work when I use anonymous set:

❯ cat anonymous.nft

table inet test {

        chain prerouting {

                type filter hook prerouting priority mangle; policy accept;

                meta l4proto { tcp, udp } tproxy to :1088 mark set 0x1 accept

        }

}

This script works.

I check source and I found that:

<a href="https://git.netfilter.org/nftables/tree/src/expression.c#n748">https://git.netfilter.org/nftables/tree/src/expression.c#n748</a>

<span class="quote">> ...

> else if (right->etype == EXPR_SET) {

> ...</span >

This `relational_expr_pctx_update` function only handle EXPR_SET, but

not EXPR_SET_REF,

which leads to fucntion `stmt_evaluate_tproxy` failing at

<a href="https://git.netfilter.org/nftables/tree/src/evaluate.c#n3859">https://git.netfilter.org/nftables/tree/src/evaluate.c#n3859</a>

because of `pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc` unset.

"""</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>