Máté Eckl <[email protected]> wrote: > I've been working on implementing tproxy matching to nftables, and I'd like > you > to comment on the planned syntax and possibilities. > > Basically I have planned an interface similar to nat statements with some > restrictions. > > tproxy [<ip(v6) address>][:<port>] > > The restrictions (I can tell now): > - No ranges would be allowed: In some nat situatios it can be useful, but I > don't see the use-case where ranges would be necessary in either the address > or port as they are local destination data. > - I wouldn't allow host names or protocol names in the expressions (however, > for > now, I'm not sure, how to implement this restriction), as these are all > local > data. > > I plan to introduce this feature to ip/ip6/inet tables, and a syntax question > has came up regarding this. > In ip/ip6, the family to forward to (and match to) is trivial, but in inet it > is > not.
Right. I guess it might work without extra 'ip'/'ip6' but it requires guesswork. It could be done from evaulation phase, see evaluate_addr(). If hostnames are not allowed, then it would be fairly siple to detect ipv4 vs. ivp6 address formatting. > A third option may be the mixture of the first two. Families of the canonical > addresses are figured out, and protocol specification is required when > hostname > is used. FWIW i don't think hostname support is needed. What should work is TPROXY TO COLON stmt_expr (tproxy to :8080) TPROXT TO stmt_expr COLON stmt_expr (tproxy to 192.168.0.1:8080) I'd suggest to start with this. > I think if it is possible to avoid explicit protocol specification in the > command, we should avoid it. A specific family would be passed to the kernel > in > each case. Right, in stmt_expr COLON stmt_expr case this will be needed to prevent attempt to match ipv4 address with ipv6 packet, and vice versa. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
