Hi All,
I've been working on implementing tproxy matching to nftables, and I'd like you
to comment on the planned syntax and possibilities.
Basically I have planned an interface similar to nat statements with some
restrictions.
tproxy [<ip(v6) address>][:<port>]
The restrictions (I can tell now):
- No ranges would be allowed: In some nat situatios it can be useful, but I
don't see the use-case where ranges would be necessary in either the address
or port as they are local destination data.
- I wouldn't allow host names or protocol names in the expressions (however, for
now, I'm not sure, how to implement this restriction), as these are all local
data.
I plan to introduce this feature to ip/ip6/inet tables, and a syntax question
has came up regarding this.
In ip/ip6, the family to forward to (and match to) is trivial, but in inet it is
not.
One possibility is to describe the protocol in the statement like `tproxy
(ip|ip6) ...`. This can be necessary when using host names, but I think
unnecessary if only canonical address format is accepted.
Another possibility is to figure out the family based on the given address, this
seems to be feasible in the netlink_delinearize part and is sufficient if only
canonical addresses are accepted.
A third option may be the mixture of the first two. Families of the canonical
addresses are figured out, and protocol specification is required when hostname
is used.
I think if it is possible to avoid explicit protocol specification in the
command, we should avoid it. A specific family would be passed to the kernel in
each case.
What do you think about these?
Regards,
Máté
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
