Attempting To Use Tproxy On CentOS 8 Fails With ‘No Such File Or Directory’

Home » CentOS » Attempting To Use Tproxy On CentOS 8 Fails With ‘No Such File Or Directory’
CentOS 3 Comments

I was working on a haproxy transparent proxy setup that we had working on CentOS 7 (iptables), but running into issues getting tproxy working with NFTables on CentOS 8.

From https://www.kernel.org/doc/Documentation/networking/tproxy.txt,

It should be a matter of:

# nft add table filter
# nft add chain filter divert “{ type filter hook prerouting priority -150; }”
# nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept

But when running the 3rd line (add rule), I get

root@kryptonite [/lib/modules/4.18.0-80.11.2.el8_0.x86_64]# nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept Error: Could not process rule: No such file or directory add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

(In attempting to resolve this, I did the following)

modprobe nf_tproxy_ipv4
modprobe nf_tproxy_ipv6
modprobe nf_socket_ipv4
modprobe nf_socket_ipv6

I also noted that:
nft add rule filter divert meta l4proto tcp  meta mark set 1 accept
(Removing socket transparent 1)

does not exit with a failure.

Also found https://bugzilla.redhat.com/show_bug.cgi?id=1651813, (which did make reference to the nftables version 0.9.0 possibly missing support, I have not tried compiling 0.9.1 yet,  but I find it curious the entire line fails with ‘socket transparent 1’ making me wonder if it is a missing module still)


Nathan Coulson System Administrator for Bravenet Web Services www.bravenet.com

3 thoughts on - Attempting To Use Tproxy On CentOS 8 Fails With ‘No Such File Or Directory’

  • Adding to this:  just did a loop through the netfilter modules to see if something was missing (no change)

    for x in $(find /lib/modules/4.18.0-80.11.2.el8_0.x86_64  | grep netfilter | sed ‘s/.*netfilter.//’ | sed ‘s/\.ko.*$//’ | sort); do echo “>>>>>>$x<<<<<<<<"   modprobe $x   nft add rule filter divert meta l4proto tcp socket transparent 1 meta mark set 1 accept done -- Nathan Coulson System Administrator for Bravenet Web Services http://www.bravenet.com

  • How is that solved for Fedora 28 that CentOS 8 is based on?


    Ljubomir Ljubojevic
    (Love is in the Air)
    PL Computers Serbia, Europe

    StarOS, Mikrotik and CentOS/RHEL/Linux consultant

  • The ticket itself was obviously the same issue, (I want to say, that socket/tproxy nft modules were unloaded for the ticket owner),  but the modules in CentOS 8 are a touch different from what is described in the ticket (not sure what they are without more research, but I was suspecting that xt_TPROXY and xt_socket was what I may need, but didn’t help).

    It also made reference to nftables needing to be 0.9.1 vs 0.9.0, but I
    did note the entire line was shown wrong , and that it does seem to take
    ‘socket transparent 1’ as a valid argument to that line  (removing transparent 1, says it expects transparent to follow socket).  So don’t know how much that contributes.

    (and then transformed into kernel crashes when those nft rules were added, which is at least currently not part of the issue)

    Gut feeling would be a missing module, but I feel like I am missing part of the puzzle for this.


    Nathan Coulson System Administrator for Bravenet Web Services http://www.bravenet.com