[Bug 1773] tproxy with nftables collides with nat entries
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Sep 12 22:34:43 CEST 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1773
--- Comment #3 from Antonio Ojea <antonio.ojea.garcia at gmail.com> ---
> For the record, action is terminal in xt_TPROXY.
yeah, exactly, I think this is a change in behavior that can difficult the
migration
> Does your socket have IP_TRANSPARENT set or not?
Phil, thanks for looking into, I have IP_TRANSPARENT and the anyip route and
the ip rule correctly, I can see in the logs of the tranparent proxy the first
connection is sent there, but since is UDP, subsequent connections with the
same tuple are sent directly to the DNATed entries created by the conntrack
entries.
I've created a kselftest with a reproducer, however, the behavior I have with
this test is different, once I enable the DNAT rules those always take
precedence. By removing the dnat rules in the test the connection is correctly
proxied.
In production is different, though kubernetes add way more nftables rules and
more complicated deployment
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240912/d21729c7/attachment.html>
More information about the netfilter-buglog
mailing list