Re: Fwd: Issue migrating "iptables -m socket --transparent" into nftables

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Nirgal Vourgère" <contact_vgernf@nirgal.com>
To: Balazs Scheidler <bazsi77@gmail.com>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	netfilter@vger.kernel.org
Subject: Re: Fwd: Issue migrating "iptables -m socket --transparent" into nftables
Date: Sat, 22 Aug 2020 03:24:43 +0200	[thread overview]
Message-ID: <13661805.z8pgfqvs6W@deimos> (raw)
In-Reply-To: <1667802.tW6joTg63a@deimos>

[-- Attachment #1: Type: text/plain, Size: 542 bytes --]

I applied the patches to my kernel and to nftables.

>>> table inet haproxy {
>>>   chain prerouting {
>>>      type filter hook prerouting priority -150; policy accept;
>>>      socket transparent 1 socket wildcard 0 mark set 0x00000001

This works like a charm for ipv4. :)

But ipv6 outbound connections still are grabbed by the socket rather than be routed to the wan and masqueraded.
This works with 
> ip46tables -m socket --transparent -j MARK --set-mark 1

Attached is a more complete extract from my haproxy.cfg, with both v4 and v6.

[-- Attachment #2: haproxy.cfg --]
[-- Type: text/plain, Size: 4198 bytes --]

############################################################################
# DO NOT EDIT THAT FILE
# Notice: That file was generated using:
#    /root/bin/update-virtualhosts /etc/haproxy/virtualhosts.haproxy
# See /etc/haproxy/virtualhosts.haproxy/config
############################################################################
global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	# user haproxy  # transparent proxying requires root privileges
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	# An alternative list with additional directives can be obtained from
	#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

defaults
	source 0.0.0.0 usesrc clientip
	log	global
	#mode	http
	#option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend http4-in
        bind :80 transparent
        mode http
        option  httplog
        default_backend http4-www2.in.nirgal.com
        use_backend http4-vcs.in.nirgal.com if { hdr(host) -i vcs.nirgal.com }
        use_backend http4-vcs.in.nirgal.com if { hdr(host) -i svn.nirgal.com }
        use_backend http4-vcs.in.nirgal.com if { hdr(host) -i git.nirgal.com }

frontend https4-in
        bind :443 strict-sni transparent
        mode tcp
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }
        default_backend https4-www2.in.nirgal.com
        use_backend https4-vcs.in.nirgal.com if { req_ssl_sni -i vcs.nirgal.com }
        use_backend https4-vcs.in.nirgal.com if { req_ssl_sni -i svn.nirgal.com }
        use_backend https4-vcs.in.nirgal.com if { req_ssl_sni -i git.nirgal.com }

backend http4-www2.in.nirgal.com
        mode http
        server http4-www2.in.nirgal.com ipv4@192.168.1.99:80

backend http4-vcs.in.nirgal.com
        mode http
        server http4-vcs.in.nirgal.com ipv4@192.168.1.98:80

backend https4-www2.in.nirgal.com
	server https4-www2.in.nirgal.com ipv4@192.168.1.99:443

backend https4-vcs.in.nirgal.com
        server https4-vcs.in.nirgal.com ipv4@192.168.1.98:443

frontend http6-in
        bind :::80 v6only transparent
        mode http
        option  httplog
        default_backend http6-www2.in.nirgal.com
        use_backend http6-vcs.in.nirgal.com if { hdr(host) -i vcs.nirgal.com }
        use_backend http6-vcs.in.nirgal.com if { hdr(host) -i svn.nirgal.com }
        use_backend http6-vcs.in.nirgal.com if { hdr(host) -i git.nirgal.com }

frontend https6-in
        bind :::443 v6only strict-sni transparent
        mode tcp
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }
        use_backend http6-vcs.in.nirgal.com if { hdr(host) -i vcs.nirgal.com }
        use_backend http6-vcs.in.nirgal.com if { hdr(host) -i svn.nirgal.com }
        use_backend http6-vcs.in.nirgal.com if { hdr(host) -i git.nirgal.com }

backend http6-www2.in.nirgal.com
        mode http
        server http6-www2.in.nirgal.com ipv6@[fd77:7777:7777::99]:80

backend http6-vcs.in.nirgal.com
        mode http
        server http6-vcs.in.nirgal.com ipv6@[fd77:7777:7777::98]:80

backend https6-www2.in.nirgal.com
        server https6-www2.in.nirgal.com ipv6@[fd77:7777:7777::99]:443

backend https6-vcs.in.nirgal.com
        server https6-vcs.in.nirgal.com ipv6@[fd77:7777:7777::98]:443

next prev parent reply	other threads:[~2020-08-22  1:24 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CAKcfE+ZhO2O6nanU=ABJB8ptpB8VvjCK1wmzQ8TMFx+U-0_8nw@mail.gmail.com>
     [not found] ` <CAKcfE+anbh1OoHt7vgyYRt89J-fjsKK48Fzy8SCm3RP=HQQcOw@mail.gmail.com>
2020-08-18 11:08   ` Fwd: Issue migrating "iptables -m socket --transparent" into nftables Nirgal Vourgère
2020-08-19  7:58     ` Pablo Neira Ayuso
     [not found]       ` <CAKcfE+Yyo-zj9Oxh4Oth6yK7SoXVfa2mQrK9-11Q5NHc09uXzQ@mail.gmail.com>
2020-08-21 15:23         ` Pablo Neira Ayuso
2020-08-21 20:10           ` Nirgal Vourgère
2020-08-22  1:24             ` Nirgal Vourgère [this message]
     [not found]               ` <CAKcfE+ZHch0LH79Mi2NMM9z4UaoORb09oPur8xrPaK-7F3SRpg@mail.gmail.com>
2020-08-25  9:45                 ` Balazs Scheidler
2020-08-26 18:00                   ` Nirgal Vourgère

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=13661805.z8pgfqvs6W@deimos \
    --to=contact_vgernf@nirgal.com \
    --cc=bazsi77@gmail.com \
    --cc=netfilter@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.