similar to: [Bug 1686] New: Transparent proxy support requires transport protocol match

https://bugzilla.netfilter.org/show_bug.cgi?id=1310 Bug ID: 1310 Summary: syntax issue with tproxy Product: nftables Version: unspecified Hardware: All OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org

On 2019-10-15 12:12 p.m., Nathan Coulson wrote: > I was working on a haproxy transparent proxy setup that we had working > on Centos 7 (iptables), but running into issues getting tproxy working > with NFTables on Centos 8. > > From https://www.kernel.org/doc/Documentation/networking/tproxy.txt, > > It should be a matter of: > > # nft add table filter > # nft add

On 10/15/19 9:16 PM, Nathan Coulson wrote: > On 2019-10-15 12:12 p.m., Nathan Coulson wrote: >> I was working on a haproxy transparent proxy setup that we had working >> on Centos 7 (iptables), but running into issues getting tproxy working >> with NFTables on Centos 8. >> >> From https://www.kernel.org/doc/Documentation/networking/tproxy.txt, >> >> It

I was working on a haproxy transparent proxy setup that we had working on Centos 7 (iptables), but running into issues getting tproxy working with NFTables on Centos 8. >From https://www.kernel.org/doc/Documentation/networking/tproxy.txt, It should be a matter of: # nft add table filter # nft add chain filter divert "{ type filter hook prerouting priority -150; }" # nft add rule

https://bugzilla.netfilter.org/show_bug.cgi?id=1763 Bug ID: 1763 Summary: Segfault when resetting rules with meta l4proto { tcp, udp } Product: nftables Version: 1.0.x Hardware: x86_64 OS: Ubuntu Status: NEW Severity: minor Priority: P5 Component: nft

Hi! The Netfilter project proudly presents: nftables 1.1.0 ... after a release cycles of 8 months. This release contains mostly fixes, listed in no particular order: - Restore compatibility set element dump with <= 0.9.8 add element t s { 23 counter packets 10 bytes 20 timeout 10s } add element t s { 42 timeout 10s counter packets 10 bytes 20 } - Disallow ifname less than

In working through an IPv6/TPROXY issue I had, I believe I found a documentation bug: http://www.shorewall.net/manpages6/shorewall6-tcrules.html In the ACTION section, for part 12. SAME: The documentation lists: #ACTION SOURCE DEST PROTO DEST # PORT(S) SAME:P 192.168.1.0/24 0.0.0.0/0 tcp

I''m trying to get TPROXY / Squid running and I have a few questions... I found this page: http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY However, it doesn''t explain what I''m seeing in the configuration. For the zone file, do I keep my loc and net configurations and just add the following to the file? - lo - - or do I remove the loc and net zones and

https://bugzilla.netfilter.org/show_bug.cgi?id=1398 Bug ID: 1398 Summary: tproxy rule is not matched for ip6 Product: nftables Version: unspecified Hardware: x86_64 OS: Ubuntu Status: NEW Severity: normal Priority: P5 Component: kernel Assignee: pablo at netfilter.org

4.5.4 Beta 3 is now available for testing. I apologize for the back-to-back Betas but I guess it''s better to find these problems during the Beta period rather than later. Problems corrected: 1) This release includes all defect repairs from Shorewall 4.5.3.1. 2) When EXPORTMODULES=No in shorewall.conf, the following errors were issued: /usr/share/shorewall/modules: line 19:

4.5.4 Beta 3 is now available for testing. I apologize for the back-to-back Betas but I guess it''s better to find these problems during the Beta period rather than later. Problems corrected: 1) This release includes all defect repairs from Shorewall 4.5.3.1. 2) When EXPORTMODULES=No in shorewall.conf, the following errors were issued: /usr/share/shorewall/modules: line 19:

https://bugzilla.netfilter.org/show_bug.cgi?id=1738 Bug ID: 1738 Summary: iptables unit test suite fails extensions/libip6t_mh.txlate Product: iptables Version: 1.8.x Hardware: All OS: Gentoo Status: NEW Severity: normal Priority: P5 Component: ip6tables

Hello, how do achieve this: how must files /etc/sysconfig/network-scripts/ look like to be the same as entering the following two commands ... ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local ::/0 dev lo table 100 is there the localhost device lo correct, or does it have to be br0? e.g. a file route-br0 with 192.168.1.0/24 via 10.10.10.1 dev br0 does the routing to the

https://bugzilla.netfilter.org/show_bug.cgi?id=1238 Bug ID: 1238 Summary: meta limits protocols when it shouldn't Product: nftables Version: unspecified Hardware: x86_64 OS: Fedora Status: NEW Severity: minor Priority: P5 Component: nft Assignee: pablo at netfilter.org

https://bugzilla.netfilter.org/show_bug.cgi?id=1368 Bug ID: 1368 Summary: The "meta's" Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org

https://bugzilla.netfilter.org/show_bug.cgi?id=1021 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |pablo at netfilter.org --- Comment #1 from Pablo

Hello, I wonder if someone could use the TPROXY with Shorewall and transparent Squid  with using the routing rules on shorewall (tcrules) for hosts / networks (LAN) with multiples providers (WANs) directly from the internal network on port 80 (with TPROXY transparent squid or REDIRECT). On this issue, the routing rules is not work propertly because the source is the

Hi! The Netfilter project proudly presents: nftables 0.8 This release contains new features available up to the (upcoming) Linux 4.14 kernel release: * Support for stateful objects, these objects are uniquely identified by a user-defined name, you can refer to them from rules, and there is a well established interface to operate with them, eg. # nft add counter filter test

https://bugzilla.netfilter.org/show_bug.cgi?id=1402 Bug ID: 1402 Summary: Race errors with nft Product: nftables Version: unspecified Hardware: All OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org

https://bugzilla.netfilter.org/show_bug.cgi?id=1344 Bug ID: 1344 Summary: Segmentation fault in nft add rule ip ipv4table ipv4chain-1 tcp sport { 12345-54321 } Product: nftables Version: unspecified Hardware: All OS: Ubuntu Status: NEW Severity: critical Priority: P5