I was working on a haproxy transparent proxy setup that we had working on Centos 7 (iptables), but running into issues getting tproxy working with NFTables on Centos 8.
From https://www.kernel.org/doc/Documentation/networking/tproxy.txt,
It should be a matter of:
# nft add table filter # nft add chain filter divert "{ type filter hook prerouting priority -150; }" # nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept
But when running the 3rd line (add rule), I get
root@kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept Error: Could not process rule: No such file or directory add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(In attempting to resolve this, I did the following)
modprobe nf_tproxy_ipv4 modprobe nf_tproxy_ipv6 modprobe nf_socket_ipv4 modprobe nf_socket_ipv6
I also noted that: nft add rule filter divert meta l4proto tcp meta mark set 1 accept (Removing socket transparent 1)
does not exit with a failure.
Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which did make reference to the nftables version 0.9.0 possibly missing support, I have not tried compiling 0.9.1 yet, but I find it curious the entire line fails with 'socket transparent 1' making me wonder if it is a missing module still)
On 2019-10-15 12:12 p.m., Nathan Coulson wrote:
I was working on a haproxy transparent proxy setup that we had working on Centos 7 (iptables), but running into issues getting tproxy working with NFTables on Centos 8.
From https://www.kernel.org/doc/Documentation/networking/tproxy.txt,
It should be a matter of:
# nft add table filter # nft add chain filter divert "{ type filter hook prerouting priority -150; }" # nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept
But when running the 3rd line (add rule), I get
root@kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept Error: Could not process rule: No such file or directory add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(In attempting to resolve this, I did the following)
modprobe nf_tproxy_ipv4 modprobe nf_tproxy_ipv6 modprobe nf_socket_ipv4 modprobe nf_socket_ipv6
I also noted that: nft add rule filter divert meta l4proto tcp meta mark set 1 accept (Removing socket transparent 1)
does not exit with a failure.
Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which did make reference to the nftables version 0.9.0 possibly missing support, I have not tried compiling 0.9.1 yet, but I find it curious the entire line fails with 'socket transparent 1' making me wonder if it is a missing module still)
Adding to this: just did a loop through the netfilter modules to see if something was missing (no change)
for x in $(find /lib/modules/4.18.0-80.11.2.el8_0.x86_64 | grep netfilter | sed 's/.*netfilter.//' | sed 's/.ko.*$//' | sort); do echo ">>>>>>$x<<<<<<<<" modprobe $x nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept done
On 10/15/19 9:16 PM, Nathan Coulson wrote:
On 2019-10-15 12:12 p.m., Nathan Coulson wrote:
I was working on a haproxy transparent proxy setup that we had working on Centos 7 (iptables), but running into issues getting tproxy working with NFTables on Centos 8.
From https://www.kernel.org/doc/Documentation/networking/tproxy.txt,
It should be a matter of:
# nft add table filter # nft add chain filter divert "{ type filter hook prerouting priority -150; }" # nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept
But when running the 3rd line (add rule), I get
root@kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept Error: Could not process rule: No such file or directory add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(In attempting to resolve this, I did the following)
modprobe nf_tproxy_ipv4 modprobe nf_tproxy_ipv6 modprobe nf_socket_ipv4 modprobe nf_socket_ipv6
I also noted that: nft add rule filter divert meta l4proto tcp meta mark set 1 accept (Removing socket transparent 1)
does not exit with a failure.
Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which did make reference to the nftables version 0.9.0 possibly missing support, I have not tried compiling 0.9.1 yet, but I find it curious the entire line fails with 'socket transparent 1' making me wonder if it is a missing module still)
Adding to this: just did a loop through the netfilter modules to see if something was missing (no change)
for x in $(find /lib/modules/4.18.0-80.11.2.el8_0.x86_64 | grep netfilter | sed 's/.*netfilter.//' | sed 's/.ko.*$//' | sort); do echo ">>>>>>$x<<<<<<<<" modprobe $x nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept done
How is that solved for Fedora 28 that CentOS 8 is based on?
On 2019-10-15 12:46 p.m., Ljubomir Ljubojevic wrote:
On 10/15/19 9:16 PM, Nathan Coulson wrote:
On 2019-10-15 12:12 p.m., Nathan Coulson wrote:
I was working on a haproxy transparent proxy setup that we had working on Centos 7 (iptables), but running into issues getting tproxy working with NFTables on Centos 8.
From https://www.kernel.org/doc/Documentation/networking/tproxy.txt,
It should be a matter of:
# nft add table filter # nft add chain filter divert "{ type filter hook prerouting priority -150; }" # nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept
But when running the 3rd line (add rule), I get
root@kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept Error: Could not process rule: No such file or directory add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(In attempting to resolve this, I did the following)
modprobe nf_tproxy_ipv4 modprobe nf_tproxy_ipv6 modprobe nf_socket_ipv4 modprobe nf_socket_ipv6
I also noted that: nft add rule filter divert meta l4proto tcp meta mark set 1 accept (Removing socket transparent 1)
does not exit with a failure.
Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which did make reference to the nftables version 0.9.0 possibly missing support, I have not tried compiling 0.9.1 yet, but I find it curious the entire line fails with 'socket transparent 1' making me wonder if it is a missing module still)
Adding to this: just did a loop through the netfilter modules to see if something was missing (no change)
for x in $(find /lib/modules/4.18.0-80.11.2.el8_0.x86_64 | grep netfilter | sed 's/.*netfilter.//' | sed 's/.ko.*$//' | sort); do echo ">>>>>>$x<<<<<<<<" modprobe $x nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept done
How is that solved for Fedora 28 that CentOS 8 is based on?
I can't say,
The ticket itself was obviously the same issue, (I want to say, that socket/tproxy nft modules were unloaded for the ticket owner), but the modules in centos 8 are a touch different from what is described in the ticket (not sure what they are without more research, but I was suspecting that xt_TPROXY and xt_socket was what I may need, but didn't help).
It also made reference to nftables needing to be 0.9.1 vs 0.9.0, but I did note the entire line was shown wrong , and that it does seem to take 'socket transparent 1' as a valid argument to that line (removing transparent 1, says it expects transparent to follow socket). So don't know how much that contributes.
(and then transformed into kernel crashes when those nft rules were added, which is at least currently not part of the issue)
Gut feeling would be a missing module, but I feel like I am missing part of the puzzle for this.
-
Ljubomir Ljubojevic -
Nathan Coulson