[Bug 1686] New: Transparent proxy support requires transport protocol match
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Fri Jun 2 09:05:57 CEST 2023
https://bugzilla.netfilter.org/show_bug.cgi?id=1686
Bug ID: 1686
Summary: Transparent proxy support requires transport protocol
match
Product: nftables
Version: git (please specify your HEAD)
Hardware: x86_64
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: pablo at netfilter.org
CC: me at black-desk.cn
black_desk says:
"""
I wrote a nft script:
❯ cat test.nft
table inet test {
set protos {
typeof meta l4proto;
elements = { tcp, udp }
}
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
meta l4proto @protos tproxy to :1088
}
}
when I pass it to nft:
❯ sudo nft -f ./test.nft
./test.nft:8:38-52: Error: Transparent proxy support requires
transport protocol match
meta l4proto @protos tproxy to :1088
^^^^^^^^^^^^^^^
But it will work when I use anonymous set:
❯ cat anonymous.nft
table inet test {
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
meta l4proto { tcp, udp } tproxy to :1088 mark set 0x1 accept
}
}
This script works.
I check source and I found that:
https://git.netfilter.org/nftables/tree/src/expression.c#n748
> ...
> else if (right->etype == EXPR_SET) {
> ...
This `relational_expr_pctx_update` function only handle EXPR_SET, but
not EXPR_SET_REF,
which leads to fucntion `stmt_evaluate_tproxy` failing at
https://git.netfilter.org/nftables/tree/src/evaluate.c#n3859
because of `pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc` unset.
"""
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230602/ed273966/attachment.html>
More information about the netfilter-buglog
mailing list