From: Carl Lei <me@xecycle.info>
To: netfilter@vger.kernel.org
Subject: nft tproxy failed to redirect on one system
Date: Fri, 11 Aug 2023 12:00:43 +0800 [thread overview]
Message-ID: <6C790DD9C154BA04+20230811120043.0c3c6302@xcws1> (raw)
Hi all,
I have two systems with very similar config, but tproxy failed to
redirect on one of them. I have a program listening on *:1081, and
want to redirect daddr 198.18.0.0/16 & tcp to this program; I set in
the route table like
local 198.18.0.0/16 dev lo proto static scope host
without policy selectors in `ip rule`; and my (incomplete) nftables
config is like:
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state vmap {
related : accept, established : accept,
invalid : drop,
new : jump input-new,
}
}
chain input-new {
iifname vmap {
vbr0 : jump input-new-isolated,
lo : accept,
}
icmp type echo-request accept
}
chain input-new-isolated {
meta mark 42 counter accept
fib daddr . iif type != { local, broadcast, multicast } drop
icmp type echo-request accept
icmpv6 type { echo-request, } accept
reject
}
chain mangle {
type filter hook prerouting priority mangle; policy accept;
ip daddr 198.18.0.0/16 meta l4proto tcp tproxy ip to :1081 meta
mark set 42 accept }
}
Sorry for being incomplete, but I added nftrace before these rules and
saw packets went through the same chain of rules, first hitting tproxy
in mangle, then meta mark 42 counter accept in input-new-isolated. But
on one system it works for local programs AND network-received packets,
on another system it works only for local programs. On the bad system
the packets instead gets directed to whatever program originally
listening on the original port, or rejected; e.g. I have an nginx
listening on 0.0.0.0:80 but no programs on 443, then curl http in a vm
connected to vbr0 goes to my nginx, and curl https gets rejected. I
expect them to go to that program listening on 1081.
What should I check next?
next reply other threads:[~2023-08-11 4:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-11 4:00 Carl Lei [this message]
[not found] <20230811120043.0c3c6302@xcws1>
2023-08-21 7:48 ` nft tproxy failed to redirect on one system Carl Lei
2023-08-22 10:05 ` Pablo Neira Ayuso
2023-08-22 10:16 ` Carl Lei
2023-11-22 2:59 ` Carl Lei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6C790DD9C154BA04+20230811120043.0c3c6302@xcws1 \
--to=me@xecycle.info \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).