docs: networking: convert tproxy.txt to ReST

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

- add SPDX header;
- adjust title markup;
- mark code blocks and literals as such;
- adjust identation, whitespaces and blank lines where needed;
- add to networking/index.rst.

Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Mauro Carvalho Chehab and committed by

David S. Miller 6 years ago 4ac0b122 06bfa47e

+32 -26

3 changed files

expand all

Documentation

networking

index.rst

tproxy.rst

net

netfilter

Kconfig

Documentation/networking/index.rst

··· 110 110 tcp-thin 111 111 team 112 112 timestamping 113 + tproxy 113 114 114 115 .. only:: subproject and html 115 116

+30 -25

Documentation/networking/tproxy.txt Documentation/networking/tproxy.rst

··· 1 + .. SPDX-License-Identifier: GPL-2.0 2 + 3 + ========================= 1 4 Transparent proxy support 2 5 ========================= 3 6 ··· 14 11 ================================ 15 12 16 13 The idea is that you identify packets with destination address matching a local 17 - socket on your box, set the packet mark to a certain value: 14 + socket on your box, set the packet mark to a certain value:: 18 15 19 - # iptables -t mangle -N DIVERT 20 - # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT 21 - # iptables -t mangle -A DIVERT -j MARK --set-mark 1 22 - # iptables -t mangle -A DIVERT -j ACCEPT 16 + # iptables -t mangle -N DIVERT 17 + # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT 18 + # iptables -t mangle -A DIVERT -j MARK --set-mark 1 19 + # iptables -t mangle -A DIVERT -j ACCEPT 23 20 24 - Alternatively you can do this in nft with the following commands: 21 + Alternatively you can do this in nft with the following commands:: 25 22 26 - # nft add table filter 27 - # nft add chain filter divert "{ type filter hook prerouting priority -150; }" 28 - # nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept 23 + # nft add table filter 24 + # nft add chain filter divert "{ type filter hook prerouting priority -150; }" 25 + # nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept 29 26 30 27 And then match on that value using policy routing to have those packets 31 - delivered locally: 28 + delivered locally:: 32 29 33 - # ip rule add fwmark 1 lookup 100 34 - # ip route add local 0.0.0.0/0 dev lo table 100 30 + # ip rule add fwmark 1 lookup 100 31 + # ip route add local 0.0.0.0/0 dev lo table 100 35 32 36 33 Because of certain restrictions in the IPv4 routing output code you'll have to 37 34 modify your application to allow it to send datagrams _from_ non-local IP 38 35 addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket 39 - option before calling bind: 36 + option before calling bind:: 40 37 41 - fd = socket(AF_INET, SOCK_STREAM, 0); 42 - /* - 8< -*/ 43 - int value = 1; 44 - setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value)); 45 - /* - 8< -*/ 46 - name.sin_family = AF_INET; 47 - name.sin_port = htons(0xCAFE); 48 - name.sin_addr.s_addr = htonl(0xDEADBEEF); 49 - bind(fd, &name, sizeof(name)); 38 + fd = socket(AF_INET, SOCK_STREAM, 0); 39 + /* - 8< -*/ 40 + int value = 1; 41 + setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value)); 42 + /* - 8< -*/ 43 + name.sin_family = AF_INET; 44 + name.sin_port = htons(0xCAFE); 45 + name.sin_addr.s_addr = htonl(0xDEADBEEF); 46 + bind(fd, &name, sizeof(name)); 50 47 51 48 A trivial patch for netcat is available here: 52 49 http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch ··· 64 61 getting the original destination address is racy.) 65 62 66 63 The 'TPROXY' target provides similar functionality without relying on NAT. Simply 67 - add rules like this to the iptables ruleset above: 64 + add rules like this to the iptables ruleset above:: 68 65 69 - # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ 70 - --tproxy-mark 0x1/0x1 --on-port 50080 66 + # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ 67 + --tproxy-mark 0x1/0x1 --on-port 50080 71 68 72 69 Or the following rule to nft: 73 70 ··· 85 82 ==================================== 86 83 87 84 To use tproxy you'll need to have the following modules compiled for iptables: 85 + 88 86 - NETFILTER_XT_MATCH_SOCKET 89 87 - NETFILTER_XT_TARGET_TPROXY 90 88 91 89 Or the floowing modules for nf_tables: 90 + 92 91 - NFT_SOCKET 93 92 - NFT_TPROXY 94 93

+1 -1

net/netfilter/Kconfig

··· 1043 1043 on Netfilter connection tracking and NAT, unlike REDIRECT. 1044 1044 For it to work you will have to configure certain iptables rules 1045 1045 and use policy routing. For more information on how to set it up 1046 - see Documentation/networking/tproxy.txt. 1046 + see Documentation/networking/tproxy.rst. 1047 1047 1048 1048 To compile it as a module, choose M here. If unsure, say N. 1049 1049