I have a working haproxy in transparent mode. I use it as a frontal, for several https servers using the same IP address.
My kernel have net.ipv4.ip_nonlocal_bind=1.
/etc/iproute2/rt_tables contains:
100 haproxy
I am using
ip rule add fwmark 1 lookup haproxy
ip route add local default dev lo table haproxy
My firewall rules have
iptables -t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1
This works fine. But iptables is deprecated and will vanish at some point. So I’m trying to replace this by the new nftables system.
I tried this nft rule:
table inet haproxy {
chain prerouting {
type filter hook prerouting priority -150; policy accept;
socket transparent 1 mark set 0x00000001
}
}
It does work, but all traffic is routed to the haproxy socket, including outbound masqueraded connection… I mean when a box in the lan side connects to a foreign https serveur, the connection is grabbed by haproxy, which is not what I want.
Does any one know the proper equivalent to
iptables -t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1
using nft?
I could make this work by binding haproxy to a specific ip address, replacing in haproxy.cfg “bind :80” by “bind 1.2.3.4:443” and “bind :::443” by “bind 1:2:3:4:5:6:7:8:443”. Nice… if you have a static IP address.
I seems that as of today, there is no solution using nft if you bind haproxy to * rather to a specific ip address. If you have dynamic ip addresses for example.
Patches for linux and nftables are available there:
Hopefully it will make it upstream soon.
After applying the pacthes, the solution is:
table inet haproxy {
chain prerouting {
type filter hook prerouting priority -150; policy accept;
socket transparent 1 socket wildcard 0 mark set 0x00000001
}
}
Thanks for the update, that will definitely be of use for others, especially because even when accepted in the kernel it will take some time until this is in your standard distribution kernel.