From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Balazs Scheidler <bazsi77@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nftables v2 1/5] socket: add support for "wildcard" key
Date: Sat, 29 Aug 2020 13:17:23 +0200 [thread overview]
Message-ID: <20200829111723.GA9645@salvia> (raw)
In-Reply-To: <20200829070405.23636-2-bazsi77@gmail.com>
On Sat, Aug 29, 2020 at 09:04:01AM +0200, Balazs Scheidler wrote:
> iptables had a "-m socket --transparent" which didn't match sockets that are
> bound to all addresses (e.g. 0.0.0.0 for ipv4, and ::0 for ipv6). It was
> possible to override this behavior by using --nowildcard, in which case it
> did match zero bound sockets as well.
>
> The issue is that nftables never included the wildcard check, so in effect
> it behaved like "iptables -m socket --transparent --nowildcard" with no
> means to exclude wildcarded listeners.
>
> This is a problem as a user-space process that binds to 0.0.0.0:<port> that
> enables IP_TRANSPARENT would effectively intercept traffic going in _any_
> direction on the specific port, whereas in most cases, transparent proxies
> would only need this for one specific address.
>
> The solution is to add "socket wildcard" key to the nft_socket module, which
> makes it possible to match on the wildcardness of a socket from
> one's ruleset.
>
> This is how to use it:
>
> table inet haproxy {
> chain prerouting {
> type filter hook prerouting priority -150; policy accept;
> socket transparent 1 socket wildcard 0 mark set 0x00000001
> }
> }
>
> This patch effectively depends on its counterpart in the kernel.
Applied, thanks.
next prev parent reply other threads:[~2020-08-29 11:28 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-29 7:04 Balazs Scheidler
2020-08-29 7:04 ` [PATCH nftables v2 1/5] socket: add support for "wildcard" key Balazs Scheidler
2020-08-29 11:17 ` Pablo Neira Ayuso [this message]
2020-08-29 7:04 ` [PATCH nftables v2 2/5] src/scanner.l: fix whitespace issue for the TRANSPARENT keyword Balazs Scheidler
2020-08-29 11:17 ` Pablo Neira Ayuso
2020-08-29 7:04 ` [PATCH nftables v2 3/5] doc: added documentation on "socket wildcard" Balazs Scheidler
2020-08-29 11:17 ` Pablo Neira Ayuso
2020-08-29 7:04 ` [PATCH nftables v2 4/5] tests: added "socket wildcard" testcases Balazs Scheidler
2020-08-29 11:17 ` Pablo Neira Ayuso
2020-08-29 7:04 ` [PATCH nftables v2 5/5] tests: allow tests/monitor to use a custom nft executable Balazs Scheidler
2020-08-29 11:18 ` Pablo Neira Ayuso
2020-08-29 12:24 ` Stefano Brivio
2020-08-29 14:21 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200829111723.GA9645@salvia \
--to=pablo@netfilter.org \
--cc=bazsi77@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.