On Tue, Jul 10, 2018 at 12:54:24PM +0200, Pablo Neira Ayuso wrote:
[...]
> > > Please, could you describe how you have tested the nft tproxy
> > > datapath? Did you run any example configuration to make sure things
> > > are working? If so, please slightly describe.
> > >
> > > Thanks.
> >
> > I used the tcprdr [2] as a proxy software at point X, netcat (OpenBSD
> > version
> > that can handle IPv6) as a server at point Z, and telnet as a clinet at
> > point Y.
> > See the topology at [1].
> >
> > The config of X was the following:
> > # ip rule add fwmark 1 lookup 100
> > # ip route add local 0.0.0.0/0 dev lo table 100
> > # ip -6 rule add fwmark 1 lookup 100
> > # ip -6 route add local ::/0 dev lo table 100
> > # nft -f testrules
> >
> > # cat testrules
> > table inet x {
> > chain y {
> > type filter hook prerouting priority -150;
> > policy accept;
> > meta l4proto tcp socket transparent 1 mark set
> > 0x00000001 accept
> > tcp dport http tproxy to :50080 mark set
> > 0x00000001 accept
> > }
> > }
> >
> > # ./tcprdr -4 -t -T 50080 192.0.2.130 80
> > and for ipv6
> > # ./tcprdr -6 -t -T 50080 2001:db8:0:1::2 80
> >
> > Commands on Z:
> > # nc -l -p 80
> > and for ipv6
> > # nc -6 -l -p 80
> > Z also had routes to Y via X.
> >
> > Commands on Y:
> > # telnet 192.0.2.3 80
> > # telnet 2001:db8:0:0::3 80
> >
> > I also tried how it works when tproxy target address is specified (tcprdr
> > -L can
> > be used for it) and protocol-specific cases too.
> >
> > Proof at point X:
> > # ss -tpn
> > State Recv-Q Send-Q Local
> > Address:Port Peer Address:Port
> > ESTAB 0 0
> > 192.0.2.3:22 192.0.2.1:45006
> > users:(("sshd",pid=452,fd=3))
> > ESTAB 0 0
> > [2001:db8::3]:80 [2001:db8::1]:51900
> > users:(("tcprdr",pid=534,fd=4))
> > ESTAB 0 0
> > [2001:db8::1]:51900 [2001:db8:0:1::2]:80
> > users:(("tcprdr",pid=534,fd=5))
> >
> >
> >
> > Regarding the code, I added some checks to during the debugging which could
> > occur with a non-nft frontend, but now they are checked.
> >
> > [1]:
> > IPv4:
> > +---+ .129 .130 +---+
> > (proxy) | X |--------------------| Z | (server)
> > +---+ 192.0.2.128/25 +---+
> > | .3
> > |
> > | 192.0.2.0/25
> > |
> > | .1
> > +---+
> > | Y | (client)
> > +---+
> >
> > IPv6:
> > +---+ :1 :2 +---+
> > (proxy) | X |--------------------| Z | (server)
> > +---+ 2001:db8:0:1::/64 +---+
> > | :3
> > |
> > | 2001:db8:0:0::/64
> > |
> > | :1
> > +---+
> > | Y | (client)
> > +---+
> >
> > X and Z are VirtualBox VMs
> >
> > [2]: https://git.breakpoint.cc/cgit/fw/tcprdr.git/
>
> Thanks for explaining.
>
> Good to know about this example BTW.
>
> Probably we can add this TPROXY demo somewhere in the netfilter tree,
> this is something that has been always missing.
I planned to add this to Documentation/networking/tproxy.txt. Should I do it in
this commit?
> I know of other examples on the Internet, but one from Florian would
> be definitely better.
>
> Florian, do you think it's worth placing this somewhere at
> netfilter.org?
>
> Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
