On Tue, Jul 10, 2018 at 12:39:54PM +0200, Máté Eckl wrote:
> On Mon, Jul 09, 2018 at 05:40:38PM +0200, Pablo Neira Ayuso wrote:
> > Hi Máté,
> >
> > On Thu, Jun 28, 2018 at 06:42:58PM +0200, Máté Eckl wrote:
> > > v2:
> > > - address or port is now compulsory
> > > - nf_defrag_ipv{4,6}_enable called in init
> > > - nft_tproxy now selects NF_DEFRAG_IPV4/6
> > > - Add transport header presence test in ipv4 eval (in ipv6 it was
> > > already present)
> > > - Add check for the case when address is specified but the rule family
> > > is not set accordingly
> > >
> > > -- 8< --
> > > A great portion of the code is taken from xt_TPROXY.c
> > >
> > > There are some changes compared to the iptables implementation:
> > > - tproxy statement is not terminal here
> >
> > Looks good to me, thanks.
>
> I don't know how this works yet, but this code will fail to compile once
> 'netfilter: nf_tproxy: fix possible non-linear access to transport header'
> patch
> is merged from the nf tree.
OK, then we need to wait to propagate that patch to nf-next.git
> Also based on the '[PATCH] netfilter: NFT_SOCKET don't use NF_SOCKET_IPV6
> without NF_TABLES_IPV6' thread I might need to change the IS_ENABLED macros to
> NF_TABLES_IPV6 in a next version of the patch.
Will reply to this in the corresponding thread.
> I'll have to change one anyways. So please wait for v4 patch before applying.
>
> > Please, could you describe how you have tested the nft tproxy
> > datapath? Did you run any example configuration to make sure things
> > are working? If so, please slightly describe.
> >
> > Thanks.
>
> I used the tcprdr [2] as a proxy software at point X, netcat (OpenBSD version
> that can handle IPv6) as a server at point Z, and telnet as a clinet at point
> Y.
> See the topology at [1].
>
> The config of X was the following:
> # ip rule add fwmark 1 lookup 100
> # ip route add local 0.0.0.0/0 dev lo table 100
> # ip -6 rule add fwmark 1 lookup 100
> # ip -6 route add local ::/0 dev lo table 100
> # nft -f testrules
>
> # cat testrules
> table inet x {
> chain y {
> type filter hook prerouting priority -150;
> policy accept;
> meta l4proto tcp socket transparent 1 mark set
> 0x00000001 accept
> tcp dport http tproxy to :50080 mark set
> 0x00000001 accept
> }
> }
>
> # ./tcprdr -4 -t -T 50080 192.0.2.130 80
> and for ipv6
> # ./tcprdr -6 -t -T 50080 2001:db8:0:1::2 80
>
> Commands on Z:
> # nc -l -p 80
> and for ipv6
> # nc -6 -l -p 80
> Z also had routes to Y via X.
>
> Commands on Y:
> # telnet 192.0.2.3 80
> # telnet 2001:db8:0:0::3 80
>
> I also tried how it works when tproxy target address is specified (tcprdr -L
> can
> be used for it) and protocol-specific cases too.
>
> Proof at point X:
> # ss -tpn
> State Recv-Q Send-Q Local
> Address:Port Peer Address:Port
> ESTAB 0 0
> 192.0.2.3:22 192.0.2.1:45006
> users:(("sshd",pid=452,fd=3))
> ESTAB 0 0
> [2001:db8::3]:80 [2001:db8::1]:51900
> users:(("tcprdr",pid=534,fd=4))
> ESTAB 0 0
> [2001:db8::1]:51900 [2001:db8:0:1::2]:80
> users:(("tcprdr",pid=534,fd=5))
>
>
>
> Regarding the code, I added some checks to during the debugging which could
> occur with a non-nft frontend, but now they are checked.
>
> [1]:
> IPv4:
> +---+ .129 .130 +---+
> (proxy) | X |--------------------| Z | (server)
> +---+ 192.0.2.128/25 +---+
> | .3
> |
> | 192.0.2.0/25
> |
> | .1
> +---+
> | Y | (client)
> +---+
>
> IPv6:
> +---+ :1 :2 +---+
> (proxy) | X |--------------------| Z | (server)
> +---+ 2001:db8:0:1::/64 +---+
> | :3
> |
> | 2001:db8:0:0::/64
> |
> | :1
> +---+
> | Y | (client)
> +---+
>
> X and Z are VirtualBox VMs
>
> [2]: https://git.breakpoint.cc/cgit/fw/tcprdr.git/
Thanks for explaining.
Good to know about this example BTW.
Probably we can add this TPROXY demo somewhere in the netfilter tree,
this is something that has been always missing.
I know of other examples on the Internet, but one from Florian would
be definitely better.
Florian, do you think it's worth placing this somewhere at
netfilter.org?
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
