Commit 4ac0b122 authored by Mauro Carvalho Chehab's avatar Mauro Carvalho Chehab Committed by David S. Miller
Browse files

docs: networking: convert tproxy.txt to ReST 



- add SPDX header;
- adjust title markup;
- mark code blocks and literals as such;
- adjust identation, whitespaces and blank lines where needed;
- add to networking/index.rst.

Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 06bfa47e

Documentation/networking/index.rst

+1 −0
Original line number Diff line number Diff line
@@ -110,6 +110,7 @@ Contents: 
   tcp-thin

   team

   timestamping

   tproxy



.. only::  subproject and html

Documentation/networking/tproxy.txtDocumentation/networking/tproxy.rst

+31 −26
Original line number Diff line number Diff line 
.. SPDX-License-Identifier: GPL-2.0



=========================

Transparent proxy support

=========================
@@ -11,21 +14,21 @@ From Linux 4.18 transparent proxy support is also available in nf_tables. 
================================



The idea is that you identify packets with destination address matching a local

socket on your box, set the packet mark to a certain value:

socket on your box, set the packet mark to a certain value::



    # iptables -t mangle -N DIVERT

    # iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

    # iptables -t mangle -A DIVERT -j MARK --set-mark 1

    # iptables -t mangle -A DIVERT -j ACCEPT



Alternatively you can do this in nft with the following commands:

Alternatively you can do this in nft with the following commands::



    # nft add table filter

    # nft add chain filter divert "{ type filter hook prerouting priority -150; }"

    # nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept



And then match on that value using policy routing to have those packets

delivered locally:

delivered locally::



    # ip rule add fwmark 1 lookup 100

    # ip route add local 0.0.0.0/0 dev lo table 100
@@ -33,7 +36,7 @@ delivered locally: 
Because of certain restrictions in the IPv4 routing output code you'll have to

modify your application to allow it to send datagrams _from_ non-local IP

addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket

option before calling bind:

option before calling bind::



    fd = socket(AF_INET, SOCK_STREAM, 0);

    /* - 8< -*/
@@ -61,7 +64,7 @@ be able to find out the original destination address. Even in case of TCP 
getting the original destination address is racy.)



The 'TPROXY' target provides similar functionality without relying on NAT. Simply

add rules like this to the iptables ruleset above:

add rules like this to the iptables ruleset above::



    # iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \

      --tproxy-mark 0x1/0x1 --on-port 50080
@@ -82,10 +85,12 @@ nf_tables implementation. 
====================================



To use tproxy you'll need to have the following modules compiled for iptables:



 - NETFILTER_XT_MATCH_SOCKET

 - NETFILTER_XT_TARGET_TPROXY



Or the floowing modules for nf_tables:



 - NFT_SOCKET

 - NFT_TPROXY

net/netfilter/Kconfig

+1 −1
Original line number Diff line number Diff line
@@ -1043,7 +1043,7 @@ config NETFILTER_XT_TARGET_TPROXY 
	  on Netfilter connection tracking and NAT, unlike REDIRECT.

	  For it to work you will have to configure certain iptables rules

	  and use policy routing. For more information on how to set it up

	  see Documentation/networking/tproxy.txt.

	  see Documentation/networking/tproxy.rst.



	  To compile it as a module, choose M here.  If unsure, say N.

CRA Git | Maintained and supported by SUSTech CRA and CCSE