On Tue, Jul 10, 2018 at 01:26:41PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Jul 10, 2018 at 01:19:21PM +0200, Máté Eckl wrote:
> > On Tue, Jul 10, 2018 at 12:54:24PM +0200, Pablo Neira Ayuso wrote:
> > [...]
> > > > > Please, could you describe how you have tested the nft tproxy
> > > > > datapath? Did you run any example configuration to make sure things
> > > > > are working? If so, please slightly describe.
> > > > >
> > > > > Thanks.
> > > >
> > > > I used the tcprdr [2] as a proxy software at point X, netcat (OpenBSD
> > > > version
> > > > that can handle IPv6) as a server at point Z, and telnet as a clinet at
> > > > point Y.
> > > > See the topology at [1].
> > > >
> > > > The config of X was the following:
> > > > # ip rule add fwmark 1 lookup 100
> > > > # ip route add local 0.0.0.0/0 dev lo table 100
> > > > # ip -6 rule add fwmark 1 lookup 100
> > > > # ip -6 route add local ::/0 dev lo table 100
> > > > # nft -f testrules
> > > >
> > > > # cat testrules
> > > > table inet x {
> > > > chain y {
> > > > type filter hook prerouting priority
> > > > -150; policy accept;
> > > > meta l4proto tcp socket transparent 1
> > > > mark set 0x00000001 accept
> > > > tcp dport http tproxy to :50080 mark
> > > > set 0x00000001 accept
> > > > }
> > > > }
> > > >
> > > > # ./tcprdr -4 -t -T 50080 192.0.2.130 80
> > > > and for ipv6
> > > > # ./tcprdr -6 -t -T 50080 2001:db8:0:1::2 80
> > > >
> > > > Commands on Z:
> > > > # nc -l -p 80
> > > > and for ipv6
> > > > # nc -6 -l -p 80
> > > > Z also had routes to Y via X.
> > > >
> > > > Commands on Y:
> > > > # telnet 192.0.2.3 80
> > > > # telnet 2001:db8:0:0::3 80
> > > >
> > > > I also tried how it works when tproxy target address is specified
> > > > (tcprdr -L can
> > > > be used for it) and protocol-specific cases too.
> > > >
> > > > Proof at point X:
> > > > # ss -tpn
> > > > State Recv-Q Send-Q
> > > > Local Address:Port Peer Address:Port
> > > > ESTAB 0 0
> > > > 192.0.2.3:22 192.0.2.1:45006
> > > > users:(("sshd",pid=452,fd=3))
> > > > ESTAB 0 0
> > > > [2001:db8::3]:80 [2001:db8::1]:51900
> > > > users:(("tcprdr",pid=534,fd=4))
> > > > ESTAB 0 0
> > > > [2001:db8::1]:51900 [2001:db8:0:1::2]:80
> > > > users:(("tcprdr",pid=534,fd=5))
> > > >
> > > >
> > > >
> > > > Regarding the code, I added some checks to during the debugging which
> > > > could
> > > > occur with a non-nft frontend, but now they are checked.
> > > >
> > > > [1]:
> > > > IPv4:
> > > > +---+ .129 .130 +---+
> > > > (proxy) | X |--------------------| Z | (server)
> > > > +---+ 192.0.2.128/25 +---+
> > > > | .3
> > > > |
> > > > | 192.0.2.0/25
> > > > |
> > > > | .1
> > > > +---+
> > > > | Y | (client)
> > > > +---+
> > > >
> > > > IPv6:
> > > > +---+ :1 :2 +---+
> > > > (proxy) | X |--------------------| Z | (server)
> > > > +---+ 2001:db8:0:1::/64 +---+
> > > > | :3
> > > > |
> > > > | 2001:db8:0:0::/64
> > > > |
> > > > | :1
> > > > +---+
> > > > | Y | (client)
> > > > +---+
> > > >
> > > > X and Z are VirtualBox VMs
> > > >
> > > > [2]: https://git.breakpoint.cc/cgit/fw/tcprdr.git/
> > >
> > > Thanks for explaining.
> > >
> > > Good to know about this example BTW.
> > >
> > > Probably we can add this TPROXY demo somewhere in the netfilter tree,
> > > this is something that has been always missing.
> >
> > I planned to add this to Documentation/networking/tproxy.txt. Should I do
> > it in
> > this commit?
>
> Not sure.
>
> Placing code into .txt file is strange to me, probably somewhere where
> this can be handled as source code that can be easily compiled.
What do you mean? These are just shell commands.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
