[nft] doc: Add tproxy statement to man page

Message ID 20180703142158.3883-1-ecklm94@gmail.com
State Changes Requested
Delegated to: Pablo Neira
Headers show
Series
  • [nft] doc: Add tproxy statement to man page
Related show

Commit Message

Máté Eckl July 3, 2018, 2:21 p.m.
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
---
 doc/nft.xml | 119 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 119 insertions(+)

Patch

diff --git a/doc/nft.xml b/doc/nft.xml
index ef1b2c4..0cf3dcc 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -5341,6 +5341,125 @@  add rule nat prerouting tcp dport 22 redirect to :2222
 			</para>
 		</refsect2>
 
+		<refsect2>
+			<title>tproxy statements</title>
+			<para>
+				Tproxy redirects the packet to a local socket
+				without changing the packet header in any way.
+				If any of the arguments is missing the data of
+				the incoming packet is used as parameter.
+				Tproxy matching requires another rule that ensures
+				the presence of transport protocol header is specified.
+			</para>
+			<para>
+				<cmdsynopsis>
+						<command>tproxy</command>
+						<arg choice="none">to</arg>
+						<arg choice="none"><replaceable>address</replaceable></arg>
+						<arg choice="none">:<replaceable>port</replaceable></arg>
+				</cmdsynopsis>
+				<cmdsynopsis>
+						<command>tproxy</command>
+						<arg choice="none">to</arg>
+						<group choice="req">
+							<arg><replaceable>address</replaceable></arg>
+							<arg>:<replaceable>port</replaceable></arg>
+						</group>
+				</cmdsynopsis>
+			</para>
+			<para>
+				This syntax can be used in <literal>ip/ip6</literal> tables where
+				network layer protocol is obvious. Either ip address or port can
+				be specified, but at least one of them is necessary.
+			</para>
+			<para>
+				<cmdsynopsis>
+						<command>tproxy</command>
+						<group choice="req">
+							<arg>ip</arg>
+							<arg>ip6</arg>
+						</group>
+						<arg choice="none">to</arg>
+						<arg choice="none"><replaceable>address</replaceable></arg>
+						<arg choice="opt" >:<replaceable>port</replaceable></arg>
+				</cmdsynopsis>
+				<cmdsynopsis>
+						<command>tproxy</command>
+						<arg choice="none">to</arg>
+						<arg choice="none" >:<replaceable>port</replaceable></arg>
+				</cmdsynopsis>
+			</para>
+			<para>
+				This syntax can be used in <literal>inet</literal> tables. The
+				<literal>ip/ip6</literal> parameter defines the family the rule
+				will match. The <literal>address</literal> parameter must be of
+				this family.
+				When only <literal>port</literal> is defined, the address family
+				should not be specified. In this case the rule will match for both
+				families.
+			</para>
+			<para>
+				<table frame="all">
+					<title>tproxy attributes</title>
+					<tgroup cols='2' align='left' colsep='1' rowsep='1'>
+						<colspec colname='c1'/>
+						<colspec colname='c2'/>
+						<thead>
+							<row>
+								<entry>Name</entry>
+								<entry>Description</entry>
+							</row>
+						</thead>
+						<tbody>
+							<row>
+								<entry>address</entry>
+								<entry>
+									IP address the listening socket with IP_TRANSPARENT
+									option is bound to.
+								</entry>
+							</row>
+							<row>
+								<entry>port</entry>
+								<entry>
+									Port the listening socket with IP_TRANSPARENT
+									option is bound to.
+								</entry>
+							</row>
+						</tbody>
+					</tgroup>
+				</table>
+			</para>
+			<para>
+				<example>
+					<title>Example ruleset for tproxy statement</title>
+					<programlisting>
+table ip x {
+    chain y {
+        type filter hook prerouting priority -150; policy accept;
+        tcp dport ntp tproxy to 1.1.1.1
+        udp dport ssh tproxy to :2222
+    }
+}
+table ip6 x {
+    chain y {
+       type filter hook prerouting priority -150; policy accept;
+       tcp dport ntp tproxy to [dead::beef]
+       udp dport ssh tproxy to :2222
+    }
+}
+table inet x {
+    chain y {
+        type filter hook prerouting priority -150; policy accept;
+        tcp dport 321 tproxy to :ssh
+        tcp dport 99 tproxy ip to 1.1.1.1:999
+        udp dport 155 tproxy ip6 to [dead::beef]:smux
+    }
+}
+					</programlisting>
+				</example>
+			</para>
+		</refsect2>
+
 		<refsect2>
 			<title>Flow offload statement</title>
 			<para>