[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20201107143417.7bfefd47@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
Date: Sat, 7 Nov 2020 14:34:17 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Motiejus Jakštys <desired.mta@...il.com>
Cc: netdev@...r.kernel.org, trivial@...nel.org
Subject: Re: [PATCH] Documentation: tproxy: more gentle intro (re-post #2)
On Thu, 5 Nov 2020 12:26:04 +0200 Motiejus Jakštys wrote:
> Clarify tproxy odcumentation, so it's easier to read/understand without
> a-priori in-kernel transparent proxying knowledge.
>
> Remove a reference to linux 2.2 and cosmetic Sphinx changes and address
> comments from kuba@.
>
> Sorry for re-posting, I realized I left a gap just after sending.
>
> Signed-off-by: Motiejus Jakštys <desired.mta@...il.com>
> diff --git a/Documentation/networking/tproxy.rst b/Documentation/networking/tproxy.rst
> index 00dc3a1a66b4..d2673de0e408 100644
> --- a/Documentation/networking/tproxy.rst
> +++ b/Documentation/networking/tproxy.rst
> @@ -1,42 +1,45 @@
> .. SPDX-License-Identifier: GPL-2.0
>
> -=========================
> -Transparent proxy support
> -=========================
> +==========================
> +Transparent proxy (TPROXY)
> +==========================
>
> -This feature adds Linux 2.2-like transparent proxy support to current kernels.
> -To use it, enable the socket match and the TPROXY target in your kernel config.
> -You will need policy routing too, so be sure to enable that as well.
> +TPROXY enables forwarding and intercepting packets that were destined for other
I would not say forwarding
> +endpoints, without using NAT chain or REDIRECT targets.
"without using NAT or the REDIRECT target"
> -From Linux 4.18 transparent proxy support is also available in nf_tables.
> +Intercepting non-local packets
> +==============================
>
> -1. Making non-local sockets work
> -================================
> +To identify packets with destination address matching a local socket on your
> -Because of certain restrictions in the IPv4 routing output code you'll have to
> -modify your application to allow it to send datagrams _from_ non-local IP
> -addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket
> -option before calling bind::
> +.. code-block:: sh
> +
> + ip rule add fwmark 1 lookup 100
> + ip route add local 0.0.0.0/0 dev lo table 100
> +
> +Because of certain restrictions in the IPv4 routing application will need to be
> +modified to allow it to send datagrams *from* non-local IP addresses. Enable
"modified to enable sending datagrams" ... "Set"
> +the ``SOL_IP``, ``IP_TRANSPARENT`` socket options before calling ``bind``:
> +
> +.. code-block:: c
>
> fd = socket(AF_INET, SOCK_STREAM, 0);
> /* - 8< -*/
> @@ -51,9 +54,22 @@ option before calling bind::
> A trivial patch for netcat is available here:
> http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch
>
> +Kernel configuration
> +====================
>
> -2. Redirecting traffic
> -======================
> +To use tproxy you'll need to have the following modules compiled for iptables:
> +
> +- ``NETFILTER_XT_MATCH_POLICY``
That's not the config option for policy routing.
> +- ``NETFILTER_XT_MATCH_SOCKET``
> +- ``NETFILTER_XT_TARGET_TPROXY``
Powered by blists - more mailing lists