This section describes how PNS selects and marks the packets that will be transparently proxied.
| Note |
|---|
In PNS version 3.3FR1 and earlier, this functionality was achieved using the tproxy table. Starting with PNS version 3.4, the tproxy table is not available in PNS. |
As of PNS version 3.4, the PNS Gateway sets a mark on incoming packets that are to be transparently proxied. Every packet having this specific mark is sent to the LO interface using a policy routing rule. PNS uses the highest bit for marking the packets, that is, 0x80000000. In the iptables ruleset of PNS, this means the following rule: -A LOeth0 --match mark --mark 0x80000000/0x80000000 --jump ACCEPT
Therefore, in case you use any marks, make sure that:
you do not use the highest bit for marking; and that
you use the following mask when setting or checking your marks:
/0x7fffffff
When using your own iptables rules to mark packets for transparent proxying, the marks must set the highest bit as well, and set the proper mask, for example, using the --tproxy-mark 0x80000000/0x80000000 iptables option.
Marking the packets is responsible only for redirecting the packets for transparent proxying, no filtering is performed. The marked packets and connections must be ACCEPTed in the filter table as well to make the packet pass and reach their destination which is a dispatcher for transparently proxied packets.
| Note |
|---|
|
By default, PNS directs every packet to the kzorp target in the mangle table. Explicitly accepting packets earlier in the iptables rules provides a way to avoid the kzorp kernel module. To ensure that the selected packets do not reach the kzorp target, add rules to accept the packets to every chain of the mangle table (PREROUTING, FORWARD, POSTROUTING) before the following rule: -A <name-of-the-chain> --jump KZORP --tproxy-mark 0x80000000/0x80000000. You can use zone matches as well to select the packets to accept. |
Published on June 04, 2020
© 2007-2019 BalaSys
Send your comments to support@balasys.hu
