GSoC 2018 project submission
Here I’d like to summarise my efforts until the publishing day of this post in the netfilter project as part of the Google Summer of Code 2018 program. This will also serve as a product submission which Google requires as a final part of the program.
I proposed to implement native transparent proxy support in
nf_tables on both
user- and kernel levels (see my proposal
here). This functionality had
already been part of
x_tables so a part of my job was to refactor the
existing code so that core functions can be used from the new module.
Documentation can be found in the nft(8) man page after applying my patches.
Socket match implementation
Half of the job was to implement socket matching which can be used to search for an existing open TCP/UDP socket and its attributes that can be associated with a packet. It looks for an established or non-zero bound listening socket (possibly with a non-local address).
Thanks to the structure of the
nf_tables framework this effort resulted in a
simple implementation which can be used in ip, ip6 and inet tables.
Main patches related to this part
- src: Introduce socket matching
- test: py: Add test cases for socket matching
- doc: Add socket expression to man page
- src: Expose socket mark via socket expression
nf_tables: add support for native socket matching
nft_socket: Expose socket mark
Tproxy statement implementation
This part was already a bit more complex. I had to extract core functions from
xt_TPROXY implementation and reproduce its use in nft. Now it can be used
to redirect packets to a local socket without changing the packet header in any
way. This works in ip, ip6 and inet tables, too.
Main patches related to tproxy statement
- src: Add tproxy support
- tests: py: Add test cases for tproxy support
- doc: Add tproxy statement to man page
- netfilter: Libify
nf_tproxy: fix possible non-linear access to transport header
nf_tables: Add native tproxy support
Other contributions and summary
Beyond my project proposal I also implemented some fixes to the socket and tproxy part of the kernel, the nft testing infrastructure and I started to implement textual representation of standard priorities in the nft tool to make life easier for sysadmins.
To get all my contributions check the following links: