From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, antonio.ojea.garcia@gmail.com,
phil@nwl.cc
Subject: Re: [PATCH nf] netfilter: nft_tproxy: make it terminal
Date: Fri, 13 Sep 2024 12:47:26 +0200 [thread overview]
Message-ID: <ZuQYPr3ugqG-Yz82@calendula> (raw)
In-Reply-To: <20240913104101.GA16472@breakpoint.cc>
On Fri, Sep 13, 2024 at 12:41:01PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Fri, Sep 13, 2024 at 12:23:47PM +0200, Florian Westphal wrote:
> > > Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > > tproxy action must be terminal since the intent of the user to steal the
> > > > traffic and redirect to the port.
> > > > Align this behaviour to iptables to make it easier to migrate by issuing
> > > > NF_ACCEPT for packets that are redirect to userspace process socket.
> > > > Otherwise, NF_DROP packet if socket transparent flag is not set on.
> > >
> > > The nonterminal behaviour is intentional. This change will likely
> > > break existing setups.
> > >
> > > nft add rule filter divert tcp dport 80 tproxy to :50080 meta mark set 1 accept
> > >
> > > This is a documented example.
> >
> > Ouch. Example could have been:
> >
> > nft add rule filter divert tcp dport 80 socket transparent meta set 1 tproxy to :50080
>
> Yes, but its not the same.
>
> With the statements switched, all tcp dport 80 have the mark set.
> With original example, the mark is set only if tproxy found a
> transparent sk.
Indeed, thanks for correcting me.
I'm remembering now why this was done to provide to address the ugly
mark hack that xt_TPROXY provides.
While this is making harder to migrate, making it non-terminal is
allowing to make more handling such as ct/meta marking after it.
I think we just have to document this in man nft(8).
next prev parent reply other threads:[~2024-09-13 10:47 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-13 10:20 [PATCH nf] netfilter: nft_tproxy: make it terminal Pablo Neira Ayuso
2024-09-13 10:23 ` Florian Westphal
2024-09-13 10:28 ` Pablo Neira Ayuso
2024-09-13 10:29 ` Pablo Neira Ayuso
2024-09-13 10:41 ` Florian Westphal
2024-09-13 10:47 ` Pablo Neira Ayuso [this message]
2024-09-13 11:02 ` Antonio Ojea
2024-09-13 11:24 ` Pablo Neira Ayuso
2024-09-13 12:00 ` Phil Sutter
2024-09-13 12:36 ` Pablo Neira Ayuso
2024-09-13 14:18 ` Florian Westphal
2024-09-13 15:38 ` Antonio Ojea
2024-09-13 20:35 ` Phil Sutter
2024-09-16 10:37 ` Antonio Ojea
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZuQYPr3ugqG-Yz82@calendula \
--to=pablo@netfilter.org \
--cc=antonio.ojea.garcia@gmail.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.