similar to: [Bug 1310] New: syntax issue with tproxy

I was working on a haproxy transparent proxy setup that we had working on Centos 7 (iptables), but running into issues getting tproxy working with NFTables on Centos 8. >From https://www.kernel.org/doc/Documentation/networking/tproxy.txt, It should be a matter of: # nft add table filter # nft add chain filter divert "{ type filter hook prerouting priority -150; }" # nft add rule

On 10/15/19 9:16 PM, Nathan Coulson wrote: > On 2019-10-15 12:12 p.m., Nathan Coulson wrote: >> I was working on a haproxy transparent proxy setup that we had working >> on Centos 7 (iptables), but running into issues getting tproxy working >> with NFTables on Centos 8. >> >> From https://www.kernel.org/doc/Documentation/networking/tproxy.txt, >> >> It

On 2019-10-15 12:12 p.m., Nathan Coulson wrote: > I was working on a haproxy transparent proxy setup that we had working > on Centos 7 (iptables), but running into issues getting tproxy working > with NFTables on Centos 8. > > From https://www.kernel.org/doc/Documentation/networking/tproxy.txt, > > It should be a matter of: > > # nft add table filter > # nft add

https://bugzilla.netfilter.org/show_bug.cgi?id=1686 Bug ID: 1686 Summary: Transparent proxy support requires transport protocol match Product: nftables Version: git (please specify your HEAD) Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5

I''m trying to get TPROXY / Squid running and I have a few questions... I found this page: http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY However, it doesn''t explain what I''m seeing in the configuration. For the zone file, do I keep my loc and net configurations and just add the following to the file? - lo - - or do I remove the loc and net zones and

https://bugzilla.netfilter.org/show_bug.cgi?id=1398 Bug ID: 1398 Summary: tproxy rule is not matched for ip6 Product: nftables Version: unspecified Hardware: x86_64 OS: Ubuntu Status: NEW Severity: normal Priority: P5 Component: kernel Assignee: pablo at netfilter.org

Hello, how do achieve this: how must files /etc/sysconfig/network-scripts/ look like to be the same as entering the following two commands ... ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local ::/0 dev lo table 100 is there the localhost device lo correct, or does it have to be br0? e.g. a file route-br0 with 192.168.1.0/24 via 10.10.10.1 dev br0 does the routing to the

https://bugzilla.netfilter.org/show_bug.cgi?id=1422 Bug ID: 1422 Summary: iptables-nft fails to check / delete rules in raw table Product: iptables Version: 1.6.x Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: major Priority: P5 Component: iptables

Hello, I wonder if someone could use the TPROXY with Shorewall and transparent Squid  with using the routing rules on shorewall (tcrules) for hosts / networks (LAN) with multiples providers (WANs) directly from the internal network on port 80 (with TPROXY transparent squid or REDIRECT). On this issue, the routing rules is not work propertly because the source is the

https://bugzilla.netfilter.org/show_bug.cgi?id=1057 Bug ID: 1057 Summary: Allow for multiple protocols to be specified in a rule Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at

https://bugzilla.netfilter.org/show_bug.cgi?id=1368 Bug ID: 1368 Summary: The "meta's" Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org

In working through an IPv6/TPROXY issue I had, I believe I found a documentation bug: http://www.shorewall.net/manpages6/shorewall6-tcrules.html In the ACTION section, for part 12. SAME: The documentation lists: #ACTION SOURCE DEST PROTO DEST # PORT(S) SAME:P 192.168.1.0/24 0.0.0.0/0 tcp

https://bugzilla.netfilter.org/show_bug.cgi?id=1364 Bug ID: 1364 Summary: nft list outputs mark rules with boolean or in a form that can be parsed by nft -f Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: normal Priority: P5

Not tested in any way. The original code for offload setting seems broken as it resets the features on every netback reconnect. This will set GSO_ROBUST at device creation time (earlier than connect time). RX checksum offload is forced on - so advertise as it is. Signed-off-by: Micha? Miros?aw <mirq-linux at rere.qmqm.pl> --- [I don't know Xen code enough to say this is correct. There

Not tested in any way. The original code for offload setting seems broken as it resets the features on every netback reconnect. This will set GSO_ROBUST at device creation time (earlier than connect time). RX checksum offload is forced on - so advertise as it is. Signed-off-by: Micha? Miros?aw <mirq-linux at rere.qmqm.pl> --- [I don't know Xen code enough to say this is correct. There

Not tested in any way. The original code for offload setting seems broken as it resets the features on every netback reconnect. This will set GSO_ROBUST at device creation time (earlier than connect time). RX checksum offload is forced on - so advertise as it is. Signed-off-by: Micha? Miros?aw <mirq-linux at rere.qmqm.pl> --- [I don't know Xen code enough to say this is correct. There

This series cleans up duplicated code for replacing firmware FB driver with proper DRI driver and adds handover support to Tegra driver. The last patch is here because it uses new semantics of remove_conflicting_framebuffers() from this series. This can be considered independently, though. --- Micha? Miros?aw (13): fbdev: show fbdev number for debugging fbdev: add

This series cleans up duplicated code for replacing firmware FB driver with proper DRI driver and adds handover support to Tegra driver. The last patch is here because it uses new semantics of remove_conflicting_framebuffers() from this series. This can be considered independently, though. --- Micha? Miros?aw (13): fbdev: show fbdev number for debugging fbdev: add

This series cleans up duplicated code for replacing firmware FB driver with proper DRI driver and adds handover support to Tegra driver. This is a sligtly updated version of a series sent on 24 Nov 2017. --- v2: - rebased on current drm-next - dropped staging/sm750fb changes - added kernel docs for DRM helpers v3: - move kerneldoc to fbdev, where functions are implemented - split kerneldoc

This series cleans up duplicated code for replacing firmware FB driver with proper DRI driver and adds handover support to Tegra driver. This is a sligtly updated version of a series sent on 24 Nov 2017. --- v2: - rebased on current drm-next - dropped staging/sm750fb changes - added kernel docs for DRM helpers v3: - move kerneldoc to fbdev, where functions are implemented - split kerneldoc