From a557c49936bb98cd0b7d84adda654af34694dda3 Mon Sep 17 00:00:00 2001 From: Zoruk Date: Wed, 22 May 2024 09:52:58 +0200 Subject: [PATCH 1/2] feat: add support for tproxy --- src/stmt.rs | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/stmt.rs b/src/stmt.rs index 60c75a6..2ca13fc 100644 --- a/src/stmt.rs +++ b/src/stmt.rs @@ -75,6 +75,8 @@ pub enum Statement { /// This represents an xt statement from xtables compat interface. /// Sadly, at this point, it is not possible to provide any further information about its content. XT(Option), + + TProxy(TProxy), } #[derive(Debug, Clone, Eq, PartialEq, Serialize, Deserialize)] @@ -420,6 +422,16 @@ pub struct CTCount { pub inv: Option, } +#[derive(Debug, Clone, Eq, PartialEq, Serialize, Deserialize)] +#[serde(rename_all = "lowercase")] +pub struct TProxy { + #[serde(skip_serializing_if = "Option::is_none")] + pub family: Option, + pub port: u16, + #[serde(skip_serializing_if = "Option::is_none")] + pub addr: Option, +} + #[derive(Debug, Clone, Copy, Eq, PartialEq, Hash, Serialize, Deserialize)] /// Represents an operator for `Match`. pub enum Operator { From a13a06d07275ebbe3a25033978d1a952f228867d Mon Sep 17 00:00:00 2001 From: Zoruk Date: Wed, 3 Jul 2024 16:06:42 +0200 Subject: [PATCH 2/2] feat: add tproxy json test --- resources/test/json/tproxy.json | 144 ++++++++++++++++++++++++++++++++ resources/test/nft/tproxy.nft | 16 ++++ 2 files changed, 160 insertions(+) create mode 100644 resources/test/json/tproxy.json create mode 100644 resources/test/nft/tproxy.nft diff --git a/resources/test/json/tproxy.json b/resources/test/json/tproxy.json new file mode 100644 index 0000000..e7ede5f --- /dev/null +++ b/resources/test/json/tproxy.json @@ -0,0 +1,144 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "1.0.9", + "release_name": "Old Doc Yak #3", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "filter", + "handle": 1 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "tproxy_ipv4", + "handle": 1 + } + }, + { + "chain": { + "family": "inet", + "table": "filter", + "name": "tproxy_ipv6", + "handle": 2 + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tproxy_ipv4", + "handle": 3, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "tproxy": { + "family": "ip", + "addr": "127.0.0.1", + "port": 12345 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tproxy_ipv4", + "handle": 4, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "tproxy": { + "family": "ip", + "port": 12345 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tproxy_ipv6", + "handle": 5, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "tproxy": { + "family": "ip6", + "addr": "::1", + "port": 12345 + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "filter", + "chain": "tproxy_ipv6", + "handle": 6, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "tproxy": { + "family": "ip6", + "port": 12345 + } + } + ] + } + } + ] +} diff --git a/resources/test/nft/tproxy.nft b/resources/test/nft/tproxy.nft new file mode 100644 index 0000000..9a85e4e --- /dev/null +++ b/resources/test/nft/tproxy.nft @@ -0,0 +1,16 @@ +#!/sbin/nft -f + +flush ruleset + +table inet filter { + + chain tproxy_ipv4 { + meta l4proto tcp tproxy ip to 127.0.0.1:12345 + meta l4proto tcp tproxy ip to :12345 + } + + chain tproxy_ipv6 { + meta l4proto tcp tproxy ip6 to [::1]:12345 + meta l4proto tcp tproxy ip6 to :12345 + } +}