On Monday, 17 August 2020 21:34:06 CEST Florian Westphal wrote: > Nirgal Vourgère wrote: > > > > ip rule add fwmark 1 lookup haproxy > > ip route add local default dev lo table haproxy > > > > My firewall rules have > > > > iptables -t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1 > > [..] > > > I tried this nft rule: > > > > table inet haproxy { > > chain prerouting { > > type filter hook prerouting priority -150; policy accept; > > socket transparent 1 mark set 0x00000001 > > } > > } > > > > It does work, but all traffic is routed to the haproxy socket, including outbound masqueraded connection… I mean when a box on the lan side connects to a foreign https server, the connection is grabbed by haproxy, which is not what I want. > > I don't understand how the iptables rule would not do exactly the same > thing, there is nothing that checks interface names or addresses. > > Are you sure there is nothing in the iptables rule set that > makes the socket rule only handle those packets that should be redirected? I am sure. Yes. Here's the output of my iptables generated "nft list ruleset", only the fragment regarding the mangle tables generated by iptables and ip6tables: table ip mangle { chain PREROUTING { type filter hook prerouting priority -150; policy accept; # socket --transparent counter packets 83537 bytes 53363874 meta mark set 0x1 } chain INPUT { type filter hook input priority -150; policy accept; } chain FORWARD { type filter hook forward priority -150; policy accept; } chain OUTPUT { type route hook output priority -150; policy accept; } chain POSTROUTING { type filter hook postrouting priority -150; policy accept; } } table ip6 mangle { chain PREROUTING { type filter hook prerouting priority -150; policy accept; # socket --transparent counter packets 3 bytes 180 meta mark set 0x1 } chain INPUT { type filter hook input priority -150; policy accept; } chain FORWARD { type filter hook forward priority -150; policy accept; } chain OUTPUT { type route hook output priority -150; policy accept; } chain POSTROUTING { type filter hook postrouting priority -150; policy accept; } } This works. No protocol check, no ip check, no port, just a simple brutal "iptables -t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1" Attached are the whole firewall mangle fragments, one works. The other does not. Maybe there's some magic in the old transparent module, that silently add some conditions? I've been using that set up on a whole bunch of servers.