CentOS - Oct 2019 - Attempting to use tproxy on Centos 8 fails with 'No such file or directory'

I was working on a haproxy transparent proxy setup that we had working 
on Centos 7 (iptables), but running into issues getting tproxy working 
with NFTables on Centos 8.
>From https://www.kernel.org/doc/Documentation/networking/tproxy.txt,
It should be a matter of:

# nft add table filter
# nft add chain filter divert "{ type filter hook prerouting priority -150;
}"
# nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set
1 accept

But when running the 3rd line (add rule), I get

root at kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add rule 
filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept
Error: Could not process rule: No such file or directory
add rule filter divert meta l4proto tcp socket transparent 1 meta mark 
set 1 accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

(In attempting to resolve this, I did the following)

modprobe nf_tproxy_ipv4
modprobe nf_tproxy_ipv6
modprobe nf_socket_ipv4
modprobe nf_socket_ipv6

I also noted that:
nft add rule filter divert meta l4proto tcp? meta mark set 1 accept 
(Removing socket transparent 1)

does not exit with a failure.

Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which 
did make reference to the nftables version 0.9.0 possibly missing 
support, I have not tried compiling 0.9.1 yet,? but I find it curious 
the entire line fails with 'socket transparent 1' making me wonder if it
is a missing module still)


-- 
Nathan Coulson
System Administrator for Bravenet Web Services
www.bravenet.com

On 2019-10-15 12:12 p.m., Nathan Coulson wrote:
> I was working on a haproxy transparent proxy setup that we had working 
> on Centos 7 (iptables), but running into issues getting tproxy working 
> with NFTables on Centos 8.
>
> From https://www.kernel.org/doc/Documentation/networking/tproxy.txt,
>
> It should be a matter of:
>
> # nft add table filter
> # nft add chain filter divert "{ type filter hook prerouting priority 
> -150; }"
> # nft add rule filter divert meta l4proto tcp socket transparent 1 
> meta mark set 1 accept
>
> But when running the 3rd line (add rule), I get
>
> root at kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add 
> rule filter divert meta l4proto tcp socket transparent 1 meta mark set 
> 1 accept
> Error: Could not process rule: No such file or directory
> add rule filter divert meta l4proto tcp socket transparent 1 meta mark 
> set 1 accept
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
> (In attempting to resolve this, I did the following)
>
> modprobe nf_tproxy_ipv4
> modprobe nf_tproxy_ipv6
> modprobe nf_socket_ipv4
> modprobe nf_socket_ipv6
>
> I also noted that:
> nft add rule filter divert meta l4proto tcp? meta mark set 1 accept 
> (Removing socket transparent 1)
>
> does not exit with a failure.
>
> Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which 
> did make reference to the nftables version 0.9.0 possibly missing 
> support, I have not tried compiling 0.9.1 yet,? but I find it curious 
> the entire line fails with 'socket transparent 1' making me wonder
if
> it is a missing module still)
>
>
Adding to this:? just did a loop through the netfilter modules to see if 
something was missing (no change)

for x in $(find /lib/modules/4.18.0-80.11.2.el8_0.x86_64? | grep 
netfilter | sed 's/.*netfilter.//' | sed 's/\.ko.*$//' | sort);
do
echo ">>>>>>$x<<<<<<<<"
 ? modprobe $x
 ? nft add rule filter divert meta l4proto tcp socket transparent 1 meta 
mark set 1 accept
done


-- 
Nathan Coulson
System Administrator for Bravenet Web Services
www.bravenet.com

On 10/15/19 9:16 PM, Nathan Coulson wrote:
> On 2019-10-15 12:12 p.m., Nathan Coulson wrote:
>> I was working on a haproxy transparent proxy setup that we had working
>> on Centos 7 (iptables), but running into issues getting tproxy working
>> with NFTables on Centos 8.
>>
>> From https://www.kernel.org/doc/Documentation/networking/tproxy.txt,
>>
>> It should be a matter of:
>>
>> # nft add table filter
>> # nft add chain filter divert "{ type filter hook prerouting
priority
>> -150; }"
>> # nft add rule filter divert meta l4proto tcp socket transparent 1
>> meta mark set 1 accept
>>
>> But when running the 3rd line (add rule), I get
>>
>> root at kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add
>> rule filter divert meta l4proto tcp socket transparent 1 meta mark set
>> 1 accept
>> Error: Could not process rule: No such file or directory
>> add rule filter divert meta l4proto tcp socket transparent 1 meta mark
>> set 1 accept
>>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>>
>> (In attempting to resolve this, I did the following)
>>
>> modprobe nf_tproxy_ipv4
>> modprobe nf_tproxy_ipv6
>> modprobe nf_socket_ipv4
>> modprobe nf_socket_ipv6
>>
>> I also noted that:
>> nft add rule filter divert meta l4proto tcp? meta mark set 1 accept
>> (Removing socket transparent 1)
>>
>> does not exit with a failure.
>>
>> Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which
>> did make reference to the nftables version 0.9.0 possibly missing
>> support, I have not tried compiling 0.9.1 yet,? but I find it curious
>> the entire line fails with 'socket transparent 1' making me
wonder if
>> it is a missing module still)
>>
>>
> Adding to this:? just did a loop through the netfilter modules to see if
> something was missing (no change)
> 
> for x in $(find /lib/modules/4.18.0-80.11.2.el8_0.x86_64? | grep
> netfilter | sed 's/.*netfilter.//' | sed 's/\.ko.*$//' |
sort); do
> echo ">>>>>>$x<<<<<<<<"
> ? modprobe $x
> ? nft add rule filter divert meta l4proto tcp socket transparent 1 meta
> mark set 1 accept
> done
> 
> 
How is that solved for Fedora 28 that CentOS 8 is based on?

-- 
Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

StarOS, Mikrotik and CentOS/RHEL/Linux consultant