tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: doc: Add nf_tables part in tproxy.txt

Recently, transparent proxy support has been added to nf_tables so that
this document should be updated with the new information.

- Nft commands are added as alternatives to iptables ones.
- The link for a patched iptables is removed as it is already part of
the mainline iptables implementation (and the link is dead).
- tcprdr is added as an example implementation of a transparent proxy

Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Florian Westphal <fw@strlen.de>
Cc: KOVACS Krisztian <hidden@sch.bme.hu>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: linux-doc@vger.kernel.org
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Máté Eckl and committed by
Pablo Neira Ayuso 1bfc2bc7 a148ce15

+27 -7
+27 -7
Documentation/networking/tproxy.txt
··· 5 5 To use it, enable the socket match and the TPROXY target in your kernel config. 6 6 You will need policy routing too, so be sure to enable that as well. 7 7 8 + From Linux 4.18 transparent proxy support is also available in nf_tables. 8 9 9 10 1. Making non-local sockets work 10 11 ================================ 11 12 12 13 The idea is that you identify packets with destination address matching a local 13 - socket on your box, set the packet mark to a certain value, and then match on that 14 - value using policy routing to have those packets delivered locally: 14 + socket on your box, set the packet mark to a certain value: 15 15 16 16 # iptables -t mangle -N DIVERT 17 17 # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT 18 18 # iptables -t mangle -A DIVERT -j MARK --set-mark 1 19 19 # iptables -t mangle -A DIVERT -j ACCEPT 20 + 21 + Alternatively you can do this in nft with the following commands: 22 + 23 + # nft add table filter 24 + # nft add chain filter divert "{ type filter hook prerouting priority -150; }" 25 + # nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept 26 + 27 + And then match on that value using policy routing to have those packets 28 + delivered locally: 20 29 21 30 # ip rule add fwmark 1 lookup 100 22 31 # ip route add local 0.0.0.0/0 dev lo table 100 ··· 66 57 # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ 67 58 --tproxy-mark 0x1/0x1 --on-port 50080 68 59 60 + Or the following rule to nft: 61 + 62 + # nft add rule filter divert tcp dport 80 tproxy to :50080 meta mark set 1 accept 63 + 69 64 Note that for this to work you'll have to modify the proxy to enable (SOL_IP, 70 65 IP_TRANSPARENT) for the listening socket. 71 66 67 + As an example implementation, tcprdr is available here: 68 + https://git.breakpoint.cc/cgit/fw/tcprdr.git/ 69 + This tool is written by Florian Westphal and it was used for testing during the 70 + nf_tables implementation. 72 71 73 - 3. Iptables extensions 74 - ====================== 72 + 3. Iptables and nf_tables extensions 73 + ==================================== 75 74 76 - To use tproxy you'll need to have the 'socket' and 'TPROXY' modules 77 - compiled for iptables. A patched version of iptables is available 78 - here: http://git.balabit.hu/?p=bazsi/iptables-tproxy.git 75 + To use tproxy you'll need to have the following modules compiled for iptables: 76 + - NETFILTER_XT_MATCH_SOCKET 77 + - NETFILTER_XT_TARGET_TPROXY 79 78 79 + Or the floowing modules for nf_tables: 80 + - NFT_SOCKET 81 + - NFT_TPROXY 80 82 81 83 4. Application support 82 84 ======================