Here I’d like to summarise my efforts until the publishing day of this post in the netfilter project as part of the Google Summer of Code 2018 program. This will also serve as a product submission which Google requires as a final part of the program.

I proposed to implement native transparent proxy support in nf_tables on both user- and kernel levels (see my proposal here). This functionality had already been part of x_tables so a part of my job was to refactor the existing code so that core functions can be used from the new module.

Documentation can be found in the nft(8) man page after applying my patches.

Socket match implementation

Half of the job was to implement socket matching which can be used to search for an existing open TCP/UDP socket and its attributes that can be associated with a packet. It looks for an established or non-zero bound listening socket (possibly with a non-local address).

Thanks to the structure of the nf_tables framework this effort resulted in a simple implementation which can be used in ip, ip6 and inet tables.

Main patches related to this part

nft

• src: Introduce socket matching
• test: py: Add test cases for socket matching
• doc: Add socket expression to man page
• src: Expose socket mark via socket expression

libnftnl

• src: Add support for native socket matching
• socket: Expose socket mark via socket expression

kernel

• netfilter: nf_tables: add support for native socket matching
• netfilter: nft_socket: Expose socket mark

Tproxy statement implementation

This part was already a bit more complex. I had to extract core functions from the xt_TPROXY implementation and reproduce its use in nft. Now it can be used to redirect packets to a local socket without changing the packet header in any way. This works in ip, ip6 and inet tables, too.

Main patches related to tproxy statement

nft

• src: Add tproxy support
• tests: py: Add test cases for tproxy support
• doc: Add tproxy statement to man page

libnftnl

• expr: Add tproxy support

kernel

• netfilter: Libify xt_TPROXY
• netfilter: nf_tproxy: fix possible non-linear access to transport header
• netfilter: nft_tproxy: Move nf_tproxy_assign_sock() to nf_tproxy.h
• netfilter: nf_tables: Add native tproxy support

Other contributions and summary

Beyond my project proposal I also implemented some fixes to the socket and tproxy part of the kernel, the nft testing infrastructure and I started to implement textual representation of standard priorities in the nft tool to make life easier for sysadmins.

To get all my contributions check the following links:

• nft patches
• libnftnl patches
• kernel patches
• Set/print standard chain prios with textual names (to be accepted)