[CentOS] Attempting to use tproxy on Centos 8 fails with 'No such file or directory'

Wed Oct 16 00:02:05 UTC 2019
Nathan Coulson <nathan at bravenet.com>

On 2019-10-15 12:46 p.m., Ljubomir Ljubojevic wrote:
> On 10/15/19 9:16 PM, Nathan Coulson wrote:
>> On 2019-10-15 12:12 p.m., Nathan Coulson wrote:
>>> I was working on a haproxy transparent proxy setup that we had working
>>> on Centos 7 (iptables), but running into issues getting tproxy working
>>> with NFTables on Centos 8.
>>>
>>>  From https://www.kernel.org/doc/Documentation/networking/tproxy.txt,
>>>
>>> It should be a matter of:
>>>
>>> # nft add table filter
>>> # nft add chain filter divert "{ type filter hook prerouting priority
>>> -150; }"
>>> # nft add rule filter divert meta l4proto tcp socket transparent 1
>>> meta mark set 1 accept
>>>
>>> But when running the 3rd line (add rule), I get
>>>
>>> root at kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add
>>> rule filter divert meta l4proto tcp socket transparent 1 meta mark set
>>> 1 accept
>>> Error: Could not process rule: No such file or directory
>>> add rule filter divert meta l4proto tcp socket transparent 1 meta mark
>>> set 1 accept
>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>
>>>
>>> (In attempting to resolve this, I did the following)
>>>
>>> modprobe nf_tproxy_ipv4
>>> modprobe nf_tproxy_ipv6
>>> modprobe nf_socket_ipv4
>>> modprobe nf_socket_ipv6
>>>
>>> I also noted that:
>>> nft add rule filter divert meta l4proto tcp  meta mark set 1 accept
>>> (Removing socket transparent 1)
>>>
>>> does not exit with a failure.
>>>
>>> Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which
>>> did make reference to the nftables version 0.9.0 possibly missing
>>> support, I have not tried compiling 0.9.1 yet,  but I find it curious
>>> the entire line fails with 'socket transparent 1' making me wonder if
>>> it is a missing module still)
>>>
>>>
>> Adding to this:  just did a loop through the netfilter modules to see if
>> something was missing (no change)
>>
>> for x in $(find /lib/modules/4.18.0-80.11.2.el8_0.x86_64  | grep
>> netfilter | sed 's/.*netfilter.//' | sed 's/\.ko.*$//' | sort); do
>> echo ">>>>>>$x<<<<<<<<"
>>    modprobe $x
>>    nft add rule filter divert meta l4proto tcp socket transparent 1 meta
>> mark set 1 accept
>> done
>>
>>
> How is that solved for Fedora 28 that CentOS 8 is based on?
>
I can't say,

The ticket itself was obviously the same issue, (I want to say, that 
socket/tproxy nft modules were unloaded for the ticket owner),  but the 
modules in centos 8 are a touch different from what is described in the 
ticket (not sure what they are without more research, but I was 
suspecting that xt_TPROXY and xt_socket was what I may need, but didn't 
help).

It also made reference to nftables needing to be 0.9.1 vs 0.9.0, but I 
did note the entire line was shown wrong , and that it does seem to take 
'socket transparent 1' as a valid argument to that line  (removing 
transparent 1, says it expects transparent to follow socket).  So don't 
know how much that contributes.

(and then transformed into kernel crashes when those nft rules were 
added, which is at least currently not part of the issue)

Gut feeling would be a missing module, but I feel like I am missing part 
of the puzzle for this.

-- 
Nathan Coulson
System Administrator for Bravenet Web Services
www.bravenet.com