Hi
I have a working haproxy in transparent mode. I use it as a frontal, for several https servers using the same IP address.
My kernel have net.ipv4.ip_nonlocal_bind=1.
/etc/iproute2/rt_tables contains:
100 haproxy
I am using
ip rule add fwmark 1 lookup haproxy
ip route add local default dev lo table haproxy
My firewall rules have
iptables -t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1
This works fine. But iptables is deprecated and will vanish at some point. So I’m trying to replace this by the new nftables system.
I tried this nft rule:
table inet haproxy {
chain prerouting {
type filter hook prerouting priority -150; policy accept;
socket transparent 1 mark set 0x00000001
}
}
It does work, but all traffic is routed to the haproxy socket, including outbound masqueraded connection… I mean when a box in the lan side connects to a foreign https serveur, the connection is grabbed by haproxy, which is not what I want.
Does any one know the proper equivalent to
iptables -t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1
using nft?