From patchwork Fri Aug 10 10:58:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?TcOhdMOpIEVja2w=?= X-Patchwork-Id: 956192 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Gy2qSBmQ"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41n2Pl3DYJz9s5b for ; Fri, 10 Aug 2018 21:06:51 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727450AbeHJNgQ (ORCPT ); Fri, 10 Aug 2018 09:36:16 -0400 Received: from mail-wm0-f66.google.com ([74.125.82.66]:51610 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726963AbeHJNgP (ORCPT ); Fri, 10 Aug 2018 09:36:15 -0400 Received: by mail-wm0-f66.google.com with SMTP id y2-v6so1476310wma.1; Fri, 10 Aug 2018 04:06:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=61prLLx8PBSC9bOuhiAat6924f5tgMdVSPOj58tWLO4=; b=Gy2qSBmQs8f0W1MTBW50bhstxld0RM1iEhzEKrSg2gXD83EiUIpHIFonEAGAa12c0Q 8QpBA8z332JTBnY9pFNS/J/XifSbYGUrPE1GQadS6qTiY6F1mNmlbnrctNFbtSye66kv 81S5xXLjreDTMoep3u5QzH2uISDGp5FixvV2HvMBpgYV86tDzSSW73Wv7VUoW5DW8W94 OvT2motkBNXETCiCIgsouiiQ6us7rnEZNrTa3lHBj1kNvzDCXtxzGspnzVJqYJfznPjy PAoomeYgtSrZCvXtVfH61OSU7PobBbAwG3kbqirosiVju7kBFRbN6df1DfVRVAw/IqLQ AYug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=61prLLx8PBSC9bOuhiAat6924f5tgMdVSPOj58tWLO4=; b=cJsETdh/Qt/a3qC/1cqyPdQXYevzpK3hOrSqakq0FbBnf7PJqn7oZKGt1oxnCQXhcs uvfHqqVbH2g2O1ASdOIX8n911V+Cy2XvCA8llPcWSW4FepLjWoQNjpoczo4cqn4PBaq0 jChOsRx1CKvBoBEIhK4LqdnbOBwPu6wDRtgdF0yceOEKbRe6jDc0XYHAYlTNEGXkSbGq g5+Hir/u9tcTjeRjgBlGhnMHRrQ4UPvdLASu6WJ3lVXd+q03vaCHqRRS/AGDIi1szBy5 T8h//KTsn09YWkyJhFKol3AOdPF/JZNfE7aA4tuuypRcFUHMGOHqbYSbGfCTGjLG8ihz 1CMQ== X-Gm-Message-State: AOUpUlG9saE7jz0hlVWljZI0AueWy7HAgodr3I75ZN3yFy09E4fXET7h hN1WD67zTCRGsq9SMrvO8Hjq41colWU= X-Google-Smtp-Source: AA+uWPz2pd7sn4+6eZ1Rs/Th32Fqy+kmpF3qecxbVGu93fRmvWWp+taHiqeSpLN3AkCX6wNMK1igGw== X-Received: by 2002:a1c:4004:: with SMTP id n4-v6mr1157594wma.83.1533899207273; Fri, 10 Aug 2018 04:06:47 -0700 (PDT) Received: from ecklm-lapos.sch.bme.hu (ecklapos.sch.bme.hu. [152.66.179.161]) by smtp.gmail.com with ESMTPSA id s10-v6sm2487815wmd.22.2018.08.10.04.06.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Aug 2018 04:06:46 -0700 (PDT) From: =?utf-8?b?TcOhdMOpIEVja2w=?= To: netfilter-devel@vger.kernel.org Cc: "David S. Miller" , Jonathan Corbet , Florian Westphal , KOVACS Krisztian , Pablo Neira Ayuso , linux-doc@vger.kernel.org Subject: [PATCH nf-next] doc: net: Add nf_tables part in tproxy.txt Date: Fri, 10 Aug 2018 12:58:39 +0200 Message-Id: <20180810105834.17653-1-ecklm94@gmail.com> X-Mailer: git-send-email 2.18.0 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Recently, transparent proxy support has been added to nf_tables so that this document should be updated with the new information. - Nft commands are added as alternatives to iptables ones. - The link for a patched iptables is removed as it is already part of the mainline iptables implementation (and the link is dead). - tcprdr is added as an example implementation of a transparent proxy Cc: "David S. Miller" Cc: Jonathan Corbet Cc: Florian Westphal Cc: KOVACS Krisztian Cc: Pablo Neira Ayuso Cc: linux-doc@vger.kernel.org Signed-off-by: Máté Eckl --- The patches that introduced the mentioned support are the following in the linux-next tree: - 554ced0a6e29 netfilter: nf_tables: add support for native socket matching - 4ed8eb6570a4 netfilter: nf_tables: Add native tproxy support Documentation/networking/tproxy.txt | 34 +++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/Documentation/networking/tproxy.txt b/Documentation/networking/tproxy.txt index ec11429e1d42..b9a188823d9f 100644 --- a/Documentation/networking/tproxy.txt +++ b/Documentation/networking/tproxy.txt @@ -5,19 +5,28 @@ This feature adds Linux 2.2-like transparent proxy support to current kernels. To use it, enable the socket match and the TPROXY target in your kernel config. You will need policy routing too, so be sure to enable that as well. +From Linux 4.18 transparent proxy support is also available in nf_tables. 1. Making non-local sockets work ================================ The idea is that you identify packets with destination address matching a local -socket on your box, set the packet mark to a certain value, and then match on that -value using policy routing to have those packets delivered locally: +socket on your box, set the packet mark to a certain value: # iptables -t mangle -N DIVERT # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT # iptables -t mangle -A DIVERT -j MARK --set-mark 1 # iptables -t mangle -A DIVERT -j ACCEPT +Alternatively you can do this in nft with the following commands: + +# nft add table filter +# nft add chain filter divert "{ type filter hook prerouting priority -150; }" +# nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept + +And then match on that value using policy routing to have those packets +delivered locally: + # ip rule add fwmark 1 lookup 100 # ip route add local 0.0.0.0/0 dev lo table 100 @@ -57,17 +66,28 @@ add rules like this to the iptables ruleset above: # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \ --tproxy-mark 0x1/0x1 --on-port 50080 +Or the following rule to nft: + +# nft add rule filter divert tcp dport 80 tproxy to :50080 meta mark set 1 accept + Note that for this to work you'll have to modify the proxy to enable (SOL_IP, IP_TRANSPARENT) for the listening socket. +As an example implementation, tcprdr is available here: +https://git.breakpoint.cc/cgit/fw/tcprdr.git/ +This tool is written by Florian Westphal and it was used for testing during the +nf_tables implementation. -3. Iptables extensions -====================== +3. Iptables and nf_tables extensions +==================================== -To use tproxy you'll need to have the 'socket' and 'TPROXY' modules -compiled for iptables. A patched version of iptables is available -here: http://git.balabit.hu/?p=bazsi/iptables-tproxy.git +To use tproxy you'll need to have the following modules compiled for iptables: + - NETFILTER_XT_MATCH_SOCKET + - NETFILTER_XT_TARGET_TPROXY +Or the floowing modules for nf_tables: + - NFT_SOCKET + - NFT_TPROXY 4. Application support ======================