| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 7 Nov 2020 14:34:17 -0800 From: Jakub Kicinski <kuba@...nel.org> To: Motiejus Jakštys <desired.mta@...il.com> Cc: netdev@...r.kernel.org, trivial@...nel.org Subject: Re: [PATCH] Documentation: tproxy: more gentle intro (re-post #2) On Thu, 5 Nov 2020 12:26:04 +0200 Motiejus Jakštys wrote: > Clarify tproxy odcumentation, so it's easier to read/understand without > a-priori in-kernel transparent proxying knowledge. > > Remove a reference to linux 2.2 and cosmetic Sphinx changes and address > comments from kuba@. > > Sorry for re-posting, I realized I left a gap just after sending. > > Signed-off-by: Motiejus Jakštys <desired.mta@...il.com> > diff --git a/Documentation/networking/tproxy.rst b/Documentation/networking/tproxy.rst > index 00dc3a1a66b4..d2673de0e408 100644 > --- a/Documentation/networking/tproxy.rst > +++ b/Documentation/networking/tproxy.rst > @@ -1,42 +1,45 @@ > .. SPDX-License-Identifier: GPL-2.0 > > -========================= > -Transparent proxy support > -========================= > +========================== > +Transparent proxy (TPROXY) > +========================== > > -This feature adds Linux 2.2-like transparent proxy support to current kernels. > -To use it, enable the socket match and the TPROXY target in your kernel config. > -You will need policy routing too, so be sure to enable that as well. > +TPROXY enables forwarding and intercepting packets that were destined for other I would not say forwarding > +endpoints, without using NAT chain or REDIRECT targets. "without using NAT or the REDIRECT target" > -From Linux 4.18 transparent proxy support is also available in nf_tables. > +Intercepting non-local packets > +============================== > > -1. Making non-local sockets work > -================================ > +To identify packets with destination address matching a local socket on your > -Because of certain restrictions in the IPv4 routing output code you'll have to > -modify your application to allow it to send datagrams _from_ non-local IP > -addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket > -option before calling bind:: > +.. code-block:: sh > + > + ip rule add fwmark 1 lookup 100 > + ip route add local 0.0.0.0/0 dev lo table 100 > + > +Because of certain restrictions in the IPv4 routing application will need to be > +modified to allow it to send datagrams *from* non-local IP addresses. Enable "modified to enable sending datagrams" ... "Set" > +the ``SOL_IP``, ``IP_TRANSPARENT`` socket options before calling ``bind``: > + > +.. code-block:: c > > fd = socket(AF_INET, SOCK_STREAM, 0); > /* - 8< -*/ > @@ -51,9 +54,22 @@ option before calling bind:: > A trivial patch for netcat is available here: > http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch > > +Kernel configuration > +==================== > > -2. Redirecting traffic > -====================== > +To use tproxy you'll need to have the following modules compiled for iptables: > + > +- ``NETFILTER_XT_MATCH_POLICY`` That's not the config option for policy routing. > +- ``NETFILTER_XT_MATCH_SOCKET`` > +- ``NETFILTER_XT_TARGET_TPROXY``
Powered by blists - more mailing lists