Re: Issue migrating "iptables -m socket --transparent" into nftables

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "Nirgal Vourgère" <contact_vgernf@nirgal.com>
Cc: Florian Westphal <fw@strlen.de>,
	netfilter@vger.kernel.org, Balazs Scheidler <bazsi77@gmail.com>
Subject: Re: Issue migrating "iptables -m socket --transparent" into nftables
Date: Tue, 18 Aug 2020 12:17:04 +0200	[thread overview]
Message-ID: <20200818101704.GA11030@salvia> (raw)
In-Reply-To: <3052032.WrxeKnI8BP@deimos>

On Tue, Aug 18, 2020 at 01:25:45AM +0200, Nirgal Vourgère wrote:
> Maybe there's some magic in the old transparent module, that silently add some conditions?

Balazs cannot reply to the mailing list for some reason. He sent me
this privately:

"The original iptables "socket" match had an extra check so that it wouldn't
match listener sockets, at least by default (that is if --nowildcard is not
specified).

I don't see however how "outbound masqueraded connection" could be
impacted. The "socket transparent 1" expression should require that the
socket being matched has IP_TRANSPARENT setsockopt set. Are those
connections also initiated by haproxy?

In any case, I think the check to ignore wildcard bound listener sockets is
definitely missing, however I am not sure how to properly add it to
nftables. If I added it to the socket match implementation that might break
a few currently well behaving use-cases.

This is the check that is in iptables -m socket:

                wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) &&
                            sk_fullsock(sk) &&
                            inet_sk(sk)->inet_rcv_saddr == 0);

And then if --transparent is used, these sockets are not accepted / the
rule does not match."

     prev parent reply	other threads:[~2020-08-18 10:17 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-17 14:54 Issue migrating "iptables -m socket --transparent" into nftables Nirgal Vourgère
2020-08-17 19:34 ` Florian Westphal
2020-08-17 23:25   ` Nirgal Vourgère
2020-08-18 10:17     ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200818101704.GA11030@salvia \
    --to=pablo@netfilter.org \
    --cc=bazsi77@gmail.com \
    --cc=contact_vgernf@nirgal.com \
    --cc=fw@strlen.de \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.