On 12/31/2015 08:55 AM, Tom Eastep wrote: > On 12/29/2015 06:34 AM, Jacob W. Hiltz wrote: >> Shorewall version 4.6.4.3 >> >> I am trying to configure Shorewall such that it will allow >> HAProxy,running on the same machine, to pass through the connecting >> clients IP (transparent mode). I’ve tried to adapt a modified version of >> the squid transparent configuration using TProxy but am unable to >> connect to the backend servers. >> >> - Shorewall is the gateway for the backend servers >> - HAProxy is correctly configured >> - Kernel support compiled "CONFIG_NETFILTER_TPROXY" >> “CONFIG_NETFILTER_XT_TARGET_TPROXY" >> >> The below rules do fix my issue, allowing the connections. I am quite >> new to Shorewall/IPTables but expect this to be somewhat of a tribal issue. >> >> iptables -t mangle -N DIVERT >> iptables -t mangle -A PREROUTING -p tcp -m \ >> socket -j DIVERT >> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >> iptables -t mangle -A DIVERT -j ACCEPT >> ip rule add fwmark 1 lookup 100 >> ip route add local 0.0.0.0/0 dev lo table 100 >> | > > Sorry to be slow responding - holiday season has been very busy. > > Shorewall does not currently include support for HAProxy and I need to > understand what part of the TPROXY support is preventing HAProxy from > working. > > If you change your second rule to include '--transparent' after > 'socket', does it still work? > > If so, I assume that adding '! ! --tcp-flags FIN,SYN,RST,ACK SYN' after > '-p tcp' prevents it from working? >
Jacob, Since I have not heard from you, I've gone ahead and implemented a DIVERTHA action in the mangle file. The attached patch has been back-ported to 4.6.4.3. patch /usr/share/shorewall/Shorewall/Tc.pm < DIVERTHA.patch To setup the HAProxy configuration described at http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x, place this entry in shorewall-providers(5): #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS TProxy 1 - - lo - tproxy and use this DIVERTHA entry: #ACTION SOURCE DEST PROTO ... DIVERTHA - - tcp -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index fbfd4da..eb474e5 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -454,6 +454,27 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
},
},
+ DIVERTHA => {
+ defaultchain => REALPREROUTING,
+ allowedchains => PREROUTING | REALPREROUTING,
+ minparams => 0,
+ maxparams => 0,
+ function => sub () {
+ fatal_error 'DIVERT is only allowed in the PREROUTING chain' if $designator && $designator != PREROUTING;
+ my $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
+
+ unless ( $divertref ) {
+ $divertref = new_chain( 'mangle', 'divert' );
+ add_ijump( $divertref , j => 'MARK', targetopts => "--set-mark $mark" );
+ add_ijump( $divertref , j => 'ACCEPT' );
+ }
+
+ $target = 'divert';
+
+ $matches = '-m socket ';
+ },
+ },
+
DSCP => {
defaultchain => 0,
allowedchains => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
