Nathan Coulson
2019-Oct-15 19:12 UTC
[CentOS] Attempting to use tproxy on Centos 8 fails with 'No such file or directory'
I was working on a haproxy transparent proxy setup that we had working on Centos 7 (iptables), but running into issues getting tproxy working with NFTables on Centos 8.>From https://www.kernel.org/doc/Documentation/networking/tproxy.txt,It should be a matter of: # nft add table filter # nft add chain filter divert "{ type filter hook prerouting priority -150; }" # nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept But when running the 3rd line (add rule), I get root at kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept Error: Could not process rule: No such file or directory add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (In attempting to resolve this, I did the following) modprobe nf_tproxy_ipv4 modprobe nf_tproxy_ipv6 modprobe nf_socket_ipv4 modprobe nf_socket_ipv6 I also noted that: nft add rule filter divert meta l4proto tcp? meta mark set 1 accept (Removing socket transparent 1) does not exit with a failure. Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which did make reference to the nftables version 0.9.0 possibly missing support, I have not tried compiling 0.9.1 yet,? but I find it curious the entire line fails with 'socket transparent 1' making me wonder if it is a missing module still) -- Nathan Coulson System Administrator for Bravenet Web Services www.bravenet.com
Nathan Coulson
2019-Oct-15 19:16 UTC
[CentOS] Attempting to use tproxy on Centos 8 fails with 'No such file or directory'
On 2019-10-15 12:12 p.m., Nathan Coulson wrote:> I was working on a haproxy transparent proxy setup that we had working > on Centos 7 (iptables), but running into issues getting tproxy working > with NFTables on Centos 8. > > From https://www.kernel.org/doc/Documentation/networking/tproxy.txt, > > It should be a matter of: > > # nft add table filter > # nft add chain filter divert "{ type filter hook prerouting priority > -150; }" > # nft add rule filter divert meta l4proto tcp socket transparent 1 > meta mark set 1 accept > > But when running the 3rd line (add rule), I get > > root at kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add > rule filter divert meta l4proto tcp socket transparent 1 meta mark set > 1 accept > Error: Could not process rule: No such file or directory > add rule filter divert meta l4proto tcp socket transparent 1 meta mark > set 1 accept > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > (In attempting to resolve this, I did the following) > > modprobe nf_tproxy_ipv4 > modprobe nf_tproxy_ipv6 > modprobe nf_socket_ipv4 > modprobe nf_socket_ipv6 > > I also noted that: > nft add rule filter divert meta l4proto tcp? meta mark set 1 accept > (Removing socket transparent 1) > > does not exit with a failure. > > Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which > did make reference to the nftables version 0.9.0 possibly missing > support, I have not tried compiling 0.9.1 yet,? but I find it curious > the entire line fails with 'socket transparent 1' making me wonder if > it is a missing module still) > >Adding to this:? just did a loop through the netfilter modules to see if something was missing (no change) for x in $(find /lib/modules/4.18.0-80.11.2.el8_0.x86_64? | grep netfilter | sed 's/.*netfilter.//' | sed 's/\.ko.*$//' | sort); do echo ">>>>>>$x<<<<<<<<" ? modprobe $x ? nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept done -- Nathan Coulson System Administrator for Bravenet Web Services www.bravenet.com
Ljubomir Ljubojevic
2019-Oct-15 19:46 UTC
[CentOS] Attempting to use tproxy on Centos 8 fails with 'No such file or directory'
On 10/15/19 9:16 PM, Nathan Coulson wrote:> On 2019-10-15 12:12 p.m., Nathan Coulson wrote: >> I was working on a haproxy transparent proxy setup that we had working >> on Centos 7 (iptables), but running into issues getting tproxy working >> with NFTables on Centos 8. >> >> From https://www.kernel.org/doc/Documentation/networking/tproxy.txt, >> >> It should be a matter of: >> >> # nft add table filter >> # nft add chain filter divert "{ type filter hook prerouting priority >> -150; }" >> # nft add rule filter divert meta l4proto tcp socket transparent 1 >> meta mark set 1 accept >> >> But when running the 3rd line (add rule), I get >> >> root at kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add >> rule filter divert meta l4proto tcp socket transparent 1 meta mark set >> 1 accept >> Error: Could not process rule: No such file or directory >> add rule filter divert meta l4proto tcp socket transparent 1 meta mark >> set 1 accept >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> >> >> (In attempting to resolve this, I did the following) >> >> modprobe nf_tproxy_ipv4 >> modprobe nf_tproxy_ipv6 >> modprobe nf_socket_ipv4 >> modprobe nf_socket_ipv6 >> >> I also noted that: >> nft add rule filter divert meta l4proto tcp? meta mark set 1 accept >> (Removing socket transparent 1) >> >> does not exit with a failure. >> >> Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which >> did make reference to the nftables version 0.9.0 possibly missing >> support, I have not tried compiling 0.9.1 yet,? but I find it curious >> the entire line fails with 'socket transparent 1' making me wonder if >> it is a missing module still) >> >> > Adding to this:? just did a loop through the netfilter modules to see if > something was missing (no change) > > for x in $(find /lib/modules/4.18.0-80.11.2.el8_0.x86_64? | grep > netfilter | sed 's/.*netfilter.//' | sed 's/\.ko.*$//' | sort); do > echo ">>>>>>$x<<<<<<<<" > ? modprobe $x > ? nft add rule filter divert meta l4proto tcp socket transparent 1 meta > mark set 1 accept > done > >How is that solved for Fedora 28 that CentOS 8 is based on? -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe StarOS, Mikrotik and CentOS/RHEL/Linux consultant
Possibly Parallel Threads
- Attempting to use tproxy on Centos 8 fails with 'No such file or directory'
- Attempting to use tproxy on Centos 8 fails with 'No such file or directory'
- [Bug 1310] New: syntax issue with tproxy
- [Bug 1686] New: Transparent proxy support requires transport protocol match
- TPROXY configuration