On 2019-10-15 12:46 p.m., Ljubomir Ljubojevic wrote:
On 10/15/19 9:16 PM, Nathan Coulson wrote:
On 2019-10-15 12:12 p.m., Nathan Coulson wrote:
I was working on a haproxy transparent proxy setup that we had working
on Centos 7 (iptables), but running into issues getting tproxy working
with NFTables on Centos 8.
From https://www.kernel.org/doc/Documentation/networking/tproxy.txt,
It should be a matter of:
# nft add table filter
# nft add chain filter divert "{ type filter hook prerouting priority
-150; }"
# nft add rule filter divert meta l4proto tcp socket transparent 1
meta mark set 1 accept
But when running the 3rd line (add rule), I get
root@kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add
rule filter divert meta l4proto tcp socket transparent 1 meta mark set
1 accept
Error: Could not process rule: No such file or directory
add rule filter divert meta l4proto tcp socket transparent 1 meta mark
set 1 accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(In attempting to resolve this, I did the following)
modprobe nf_tproxy_ipv4
modprobe nf_tproxy_ipv6
modprobe nf_socket_ipv4
modprobe nf_socket_ipv6
I also noted that:
nft add rule filter divert meta l4proto tcp meta mark set 1 accept
(Removing socket transparent 1)
does not exit with a failure.
Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which
did make reference to the nftables version 0.9.0 possibly missing
support, I have not tried compiling 0.9.1 yet, but I find it curious
the entire line fails with 'socket transparent 1' making me wonder if
it is a missing module still)
Adding to this: just did a loop through the netfilter modules to see if
something was missing (no change)
for x in $(find /lib/modules/4.18.0-80.11.2.el8_0.x86_64 | grep
netfilter | sed 's/.*netfilter.//' | sed 's/\.ko.*$//' | sort); do
echo ">>>>>>$x<<<<<<<<"
modprobe $x
nft add rule filter divert meta l4proto tcp socket transparent 1 meta
mark set 1 accept
done
How is that solved for Fedora 28 that CentOS 8 is based on?
I can't say,
The ticket itself was obviously the same issue, (I want to say, that
socket/tproxy nft modules were unloaded for the ticket owner), but the
modules in centos 8 are a touch different from what is described in the
ticket (not sure what they are without more research, but I was
suspecting that xt_TPROXY and xt_socket was what I may need, but didn't
help).
It also made reference to nftables needing to be 0.9.1 vs 0.9.0, but I
did note the entire line was shown wrong , and that it does seem to take
'socket transparent 1' as a valid argument to that line (removing
transparent 1, says it expects transparent to follow socket). So don't
know how much that contributes.
(and then transformed into kernel crashes when those nft rules were
added, which is at least currently not part of the issue)
Gut feeling would be a missing module, but I feel like I am missing part
of the puzzle for this.
--
Nathan Coulson
System Administrator for Bravenet Web Services
www.bravenet.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
