netfilter buglog - Dec 2018 - [Bug 1310] New: syntax issue with tproxy

https://bugzilla.netfilter.org/show_bug.cgi?id=1310

            Bug ID: 1310
           Summary: syntax issue with tproxy
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: arturo at debian.org

Not sure if really a syntax issue or a documentation issue.

Original Debian bug: https://bugs.debian.org/916863

>>
>> # nft add rule inet filter divert 'ip6 daddr ::/0 meta l4proto tcp
tproxy to :2000 meta mark set 1 accept'
>> Error: syntax error, unexpected to
>> add rule inet filter divert ip6 daddr ::/0 meta l4proto tcp tproxy to
:2000 meta mark set 1 accept
>>                                                                    ^^
>>
>> RedHats have the same problem:
https://bugzilla.redhat.com/show_bug.cgi?id=1651813
>>
>
> This may be a bug in the documentation.
>
> Try something like:
>
>  * tproxy ip to 192.0.2.1
>  * tproxy ip6 to [2001:db8::1]:50080
It accepts an address, but then barfs at anything further, even EOL.

# nft add rule inet filter divert 'ip6 daddr ::/0 meta l4proto tcp tproxy
ip6
[::1]'
Error: syntax error, unexpected newline
add rule inet filter divert ip6 daddr ::/0 meta l4proto tcp tproxy ip6 [::1]
                                                                            ^

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181219/b484d7d6/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1310

Fernando F. Mancera <ffmancera at riseup.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ffmancera at riseup.net

--- Comment #1 from Fernando F. Mancera <ffmancera at riseup.net> ---
Hi Arturo! I have been trying to solve this issue. AFAIK, fedora uses the last
nftables stable release which doesn't support tproxy. The syntax from the
redhat and debian tickets are fine.

# nft add table filter
# nft add chain filter divert "{ type filter hook prerouting priority -150;
}"
# nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark
set 1 accept
# nft add rule filter divert tcp dport 80 tproxy to :50080 meta mark set 1
accept
# nft add rule filter divert 'ip daddr 127.0.0.1 meta l4proto tcp tproxy to
:2000 meta mark set 1 accept'
# nft list ruleset

table ip filter {
    chain divert {
        type filter hook prerouting priority mangle; policy accept;
        meta l4proto tcp socket transparent 1 meta mark set 0x00000001 accept
        tcp dport 80 tproxy to :50080 meta mark set 0x00000001 accept
        ip daddr 127.0.0.1 meta l4proto tcp tproxy to :2000 meta mark set
0x00000001 accept
    }
}

Thank you!

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190401/e74e3c86/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1310

Michał Mirosław <mirq-boogs at rere.qmqm.pl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mirq-boogs at rere.qmqm.pl

--- Comment #2 from Michał Mirosław <mirq-boogs at rere.qmqm.pl> ---
Debian's version is v0.9.0 and doesn't support tproxy yet.

I tried current git master, but there seem to be some bugs left:

# /usr/local/sbin/nft list ruleset
table inet filter {        
        chain divert {
                type filter hook prerouting priority mangle; policy accept;
        }
}

# /usr/local/sbin/nft add rule inet filter divert ip daddr 0.0.0.0/0 meta
l4proto tcp tproxy to :2000
Error: Conflicting network layer protocols.
add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
                                                                ^^^^^^^^^^^^^^^
# /usr/local/sbin/nft add rule inet filter divert ip daddr 0.0.0.0/0 meta
l4proto tcp tproxy ip to :2000
Error: syntax error, unexpected colon
add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to
:2000
                                                                             ^

Adding rule without 'ip daddr 0.0.0.0/0' works with 'tproxy to
:2000', but
fails the parse as above with 'tproxy ip to :2000'.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190403/c846e256/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1310

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Created attachment 561
  --> https://bugzilla.netfilter.org/attachment.cgi?id=561&action=edit
tproxy

Could you give a try to the following patch?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190403/ca19f6a5/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1310

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190403/5c07a77b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1310

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Upstream patches:

http://git.netfilter.org/nftables/commit/?id=3edb96200690b804ceb76a9fb0ae441ed7d4d8f0
http://git.netfilter.org/nftables/commit/?id=e18d8c2ac23ba173c773b5114b39dac04e5af8db

Closing.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190404/cf1a9ab2/attachment.html>