Transparent mode: Issue migrating from iptables to nftables

nirgal · August 13, 2020, 8:32am

Hi

I have a working haproxy in transparent mode. I use it as a frontal, for several https servers using the same IP address.

My kernel have net.ipv4.ip_nonlocal_bind=1.

/etc/iproute2/rt_tables contains:

100 haproxy

I am using

ip rule add fwmark 1 lookup haproxy
ip route add local default dev lo table haproxy

My firewall rules have

iptables -t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1

This works fine. But iptables is deprecated and will vanish at some point. So I’m trying to replace this by the new nftables system.

I tried this nft rule:

table inet haproxy {
chain prerouting {
type filter hook prerouting priority -150; policy accept;
socket transparent 1 mark set 0x00000001
}
}

It does work, but all traffic is routed to the haproxy socket, including outbound masqueraded connection… I mean when a box in the lan side connects to a foreign https serveur, the connection is grabbed by haproxy, which is not what I want.

Does any one know the proper equivalent to

iptables -t mangle -A PREROUTING -m socket --transparent -j MARK --set-mark 1
using nft?

nirgal · August 13, 2020, 10:13am

I could make this work by binding haproxy to a specific ip address, replacing in haproxy.cfg “bind :80” by “bind 1.2.3.4:443” and “bind :::443” by “bind 1:2:3:4:5:6:7:8:443”. Nice… if you have a static IP address.

So still not working…

lukastribus · August 15, 2020, 11:12am

You should probably ask this on appropriated forums for iptables/nftables, like the netfilter-users mailing list.

nirgal · August 26, 2020, 6:13pm

I seems that as of today, there is no solution using nft if you bind haproxy to * rather to a specific ip address. If you have dynamic ip addresses for example.

Patches for linux and nftables are available there:
https://www.spinics.net/lists/netfilter/msg59679.html
https://www.spinics.net/lists/netfilter/msg59682.html

Hopefully it will make it upstream soon.

After applying the pacthes, the solution is:

table inet haproxy {
chain prerouting {
type filter hook prerouting priority -150; policy accept;
socket transparent 1 socket wildcard 0 mark set 0x00000001
}
}

lukastribus · August 26, 2020, 9:36pm

Thanks for the update, that will definitely be of use for others, especially because even when accepted in the kernel it will take some time until this is in your standard distribution kernel.

nirgal · October 22, 2020, 3:14pm

The patch finally made it in the kernel 5.10 branch

Meaning, if you want transparent mode + nft + dynamic ip address, you need a kernel version >= 5.10