From mboxrd@z Thu Jan 1 00:00:00 1970 From: Nirgal =?ISO-8859-1?Q?Vourg=E8re?= Subject: Re: Issue migrating "iptables -m socket --transparent" into nftables Date: Tue, 18 Aug 2020 01:25:45 +0200 Message-ID: <3052032.WrxeKnI8BP@deimos> References: <30147982.tmreYhUOsE@deimos> <20200817193406.GE15804@breakpoint.cc> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="nextPart10179450.vZt3cWTjKk" Content-Transfer-Encoding: 7Bit Return-path: In-Reply-To: <20200817193406.GE15804@breakpoint.cc> Sender: netfilter-owner@vger.kernel.org List-ID: To: Florian Westphal Cc: netfilter@vger.kernel.org This is a multi-part message in MIME format. --nextPart10179450.vZt3cWTjKk Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" On Monday, 17 August 2020 21:34:06 CEST Florian Westphal wrote: > Nirgal Vourg=C3=A8re wrote: > >=20 > > ip rule add fwmark 1 lookup haproxy > > ip route add local default dev lo table haproxy > >=20 > > My firewall rules have > >=20 > > iptables -t mangle -A PREROUTING -m socket --transparent -j MARK --= set-mark 1 >=20 > [..] >=20 > > I tried this nft rule: > >=20 > > table inet haproxy { > > chain prerouting { > > type filter hook prerouting priority -150; policy accept; > > socket transparent 1 mark set 0x00000001 > > } > > } > >=20 > > It does work, but all traffic is routed to the haproxy socket, includin= g outbound masqueraded connection=E2=80=A6 I mean when a box on the lan sid= e connects to a foreign https server, the connection is grabbed by haproxy,= which is not what I want. >=20 > I don't understand how the iptables rule would not do exactly the same > thing, there is nothing that checks interface names or addresses. >=20 > Are you sure there is nothing in the iptables rule set that > makes the socket rule only handle those packets that should be redirected? I am sure. Yes. Here's the output of my iptables generated "nft list ruleset", only the fra= gment regarding the mangle tables generated by iptables and ip6tables: table ip mangle { chain PREROUTING { type filter hook prerouting priority -150; policy accept; # socket --transparent counter packets 83537 bytes 53363874 meta mark set= 0x1=20 } chain INPUT { type filter hook input priority -150; policy accept; } chain FORWARD { type filter hook forward priority -150; policy accept; } chain OUTPUT { type route hook output priority -150; policy accept; } chain POSTROUTING { type filter hook postrouting priority -150; policy accept; } } table ip6 mangle { chain PREROUTING { type filter hook prerouting priority -150; policy accept; # socket --transparent counter packets 3 bytes 180 meta mark set 0x1=20 } chain INPUT { type filter hook input priority -150; policy accept; } chain FORWARD { type filter hook forward priority -150; policy accept; } chain OUTPUT { type route hook output priority -150; policy accept; } chain POSTROUTING { type filter hook postrouting priority -150; policy accept; } } This works. No protocol check, no ip check, no port, just a simple brutal "iptables -t = mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1" Attached are the whole firewall mangle fragments, one works. The other does= not. Maybe there's some magic in the old transparent module, that silently add s= ome conditions? I've been using that set up on a whole bunch of servers. --nextPart10179450.vZt3cWTjKk Content-Disposition: inline; filename="fw_ok.sh" Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="UTF-8"; name="fw_ok.sh" IyEvYmluL2Jhc2gKRU5BQkxFX0hBUFJPWFk9MQpIQV9SVF9UQUJMRT0iaGFwcm94eSIKUlRfVEFC TEVTPS9ldGMvaXByb3V0ZTIvcnRfdGFibGVzCkhBUFJPWFlfSVBNQVJLPTEgIyBJZCBmb3IgcGFj a2V0cyB0byBnbyB0byBoYXByb3h5CgppcDQ2dGFibGVzKCkgewogICAgIyBzaW1wbGUgZnVuY3Rp b24gdGhhdCBydW4gcnVsZSBvbiBib3RoIElQdjQgYW5kIElQdjYKICAgIGlwdGFibGVzICIkQCIK ICAgIGlwNnRhYmxlcyAiJEAiCn0KCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKIyBNYXJraW5nIHBh Y2tldHMgZm9yIGhhcHJveHkKIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIwoKaXA0NnRhYmxlcyAtdCBt YW5nbGUgLS1mbHVzaCBQUkVST1VUSU5HCmlmIFsgLW4gIiRFTkFCTEVfSEFQUk9YWSIgXQp0aGVu CiAgICAgICAgc3lzY3RsIC1xIC13IG5ldC5pcHY0LmlwX25vbmxvY2FsX2JpbmQ9MQogICAgICAg IGlwNDZ0YWJsZXMgLXQgbWFuZ2xlIC1BIFBSRVJPVVRJTkcgLW0gc29ja2V0IC0tdHJhbnNwYXJl bnQgLWogTUFSSyAtLXNldC1tYXJrICRIQVBST1hZX0lQTUFSSwoKICAgICAgICBpZiBncmVwIC1x ICRIQV9SVF9UQUJMRSAkUlRfVEFCTEVTCiAgICAgICAgdGhlbgogICAgICAgICAgICAgICAgZm9y IGlwdmVyc2lvbiBpbiA0IDYKICAgICAgICAgICAgICAgIGRvCiAgICAgICAgICAgICAgICAgICAg ICAgICMgYWxsIHBhY2tldHMgbWFya2VkIGJ5IEhBUFJPWFlfSVBNQVJLIHNob3VsZCBiZSByb3V0 ZWQgdXNpbmcgJEhBX1JUX1RBQkxFCiAgICAgICAgICAgICAgICAgICAgICAgIGlwIC0kaXB2ZXJz aW9uIHJ1bGUgZGVsIGZ3bWFyayAkSEFQUk9YWV9JUE1BUksKICAgICAgICAgICAgICAgICAgICAg ICAgaXAgLSRpcHZlcnNpb24gcnVsZSBhZGQgZndtYXJrICRIQVBST1hZX0lQTUFSSyBsb29rdXAg JEhBX1JUX1RBQkxFCgogICAgICAgICAgICAgICAgICAgICAgICAjIGRlZmF1bHQgZm9yIHJvdXRp bmcgdGFibGUgJEhBX1JUX1RBQkxFIGlzIHRvIHRyeSBsb2NhbCBiaW5kCiAgICAgICAgICAgICAg ICAgICAgICAgICMgTm90ZSB0aGF0IG5ldC5pcHY0LmlwX25vbmxvY2FsX2JpbmQ9MQogICAgICAg ICAgICAgICAgICAgICAgICBpcCAtJGlwdmVyc2lvbiByb3V0ZSBmbHVzaCB0YWJsZSAkSEFfUlRf VEFCTEUKICAgICAgICAgICAgICAgICAgICAgICAgaXAgLSRpcHZlcnNpb24gcm91dGUgYWRkIGxv Y2FsIGRlZmF1bHQgZGV2IGxvIHRhYmxlICRIQV9SVF9UQUJMRQogICAgICAgICAgICAgICAgZG9u ZQogICAgICAgIGVsc2UKICAgICAgICAgICAgICAgICRMT0dHRVIgLXAgdXNlci5jcml0IC0tICIk UlRfVEFCTEVTIGRvZXMgbm90IGhhdmUgJEhBX1JUX1RBQkxFIGVudHJ5LiBDb25zaWRlciBydW5u aW5nIFwiZWNobyAxMDAgJEhBX1JUX1RBQkxFID4+ICRSVF9UQUJMRVNcIi4gaGFwcm94eSBydWxl cyBkaXNhYmxlZC4iCiAgICAgICAgZmkKZWxzZQogICAgICAgIHN5c2N0bCAtcSAtdyBuZXQuaXB2 NC5pcF9ub25sb2NhbF9iaW5kPTAKZmkKCg== --nextPart10179450.vZt3cWTjKk Content-Disposition: inline; filename="fw_nok.sh" Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="UTF-8"; name="fw_nok.sh" IyEvYmluL2Jhc2gKRU5BQkxFX0hBUFJPWFk9MQpIQV9SVF9UQUJMRT0iaGFwcm94eSIKUlRfVEFC TEVTPS9ldGMvaXByb3V0ZTIvcnRfdGFibGVzCkhBUFJPWFlfSVBNQVJLPTEgIyBJZCBmb3IgcGFj a2V0cyB0byBnbyB0byBoYXByb3h5CgojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCiMgTWFya2luZyBw YWNrZXRzIGZvciBoYXByb3h5CiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKCmlmIFsgLW4gIiRFTkFC TEVfSEFQUk9YWSIgXQp0aGVuCiAgICAgICAgc3lzY3RsIC1xIC13IG5ldC5pcHY0LmlwX25vbmxv Y2FsX2JpbmQ9MQoKICAgICAgICBuZnQgY3JlYXRlIHRhYmxlIGluZXQgaGFwcm94eQogICAgICAg IG5mdCAtLSBhZGQgY2hhaW4gaW5ldCBoYXByb3h5IHByZXJvdXRpbmcgXHsgdHlwZSBmaWx0ZXIg aG9vayBwcmVyb3V0aW5nIHByaW9yaXR5IC0xNTBcOyBcfQogICAgICAgIG5mdCBhZGQgcnVsZSBp bmV0IGhhcHJveHkgcHJlcm91dGluZyBzb2NrZXQgdHJhbnNwYXJlbnQgMSBtZXRhIG1hcmsgc2V0 ICRIQVBST1hZX0lQTUFSSwogICAgICAgIGlmIGdyZXAgLXEgJEhBX1JUX1RBQkxFICRSVF9UQUJM RVMKICAgICAgICB0aGVuCiAgICAgICAgICAgICAgICBmb3IgaXB2ZXJzaW9uIGluIDQgNgogICAg ICAgICAgICAgICAgZG8KICAgICAgICAgICAgICAgICAgICAgICAgIyBhbGwgcGFja2V0cyBtYXJr ZWQgYnkgSEFQUk9YWV9JUE1BUksgc2hvdWxkIGJlIHJvdXRlZCB1c2luZyAkSEFfUlRfVEFCTEUK ICAgICAgICAgICAgICAgICAgICAgICAgaXAgLSRpcHZlcnNpb24gcnVsZSBkZWwgZndtYXJrICRI QVBST1hZX0lQTUFSSwogICAgICAgICAgICAgICAgICAgICAgICBpcCAtJGlwdmVyc2lvbiBydWxl IGFkZCBmd21hcmsgJEhBUFJPWFlfSVBNQVJLIGxvb2t1cCAkSEFfUlRfVEFCTEUKCiAgICAgICAg ICAgICAgICAgICAgICAgICMgZGVmYXVsdCBmb3Igcm91dGluZyB0YWJsZSAkSEFfUlRfVEFCTEUg aXMgdG8gdHJ5IGxvY2FsIGJpbmQKICAgICAgICAgICAgICAgICAgICAgICAgIyBOb3RlIHRoYXQg bmV0LmlwdjQuaXBfbm9ubG9jYWxfYmluZD0xCiAgICAgICAgICAgICAgICAgICAgICAgIGlwIC0k aXB2ZXJzaW9uIHJvdXRlIGZsdXNoIHRhYmxlICRIQV9SVF9UQUJMRQogICAgICAgICAgICAgICAg ICAgICAgICBpcCAtJGlwdmVyc2lvbiByb3V0ZSBhZGQgbG9jYWwgZGVmYXVsdCBkZXYgbG8gdGFi bGUgJEhBX1JUX1RBQkxFCiAgICAgICAgICAgICAgICBkb25lCiAgICAgICAgZWxzZQogICAgICAg ICAgICAgICAgJExPR0dFUiAtcCB1c2VyLmNyaXQgLS0gIiRSVF9UQUJMRVMgZG9lcyBub3QgaGF2 ZSAkSEFfUlRfVEFCTEUgZW50cnkuIENvbnNpZGVyIHJ1bm5pbmcgXCJlY2hvIDEwMCAkSEFfUlRf VEFCTEUgPj4gJFJUX1RBQkxFU1wiLiBoYXByb3h5IHJ1bGVzIGRpc2FibGVkLiIKICAgICAgICBm aQplbHNlCiAgICAgICAgc3lzY3RsIC1xIC13IG5ldC5pcHY0LmlwX25vbmxvY2FsX2JpbmQ9MApm aQoKCg== --nextPart10179450.vZt3cWTjKk--