[Bug 1736] nftables - dynamic update for verdict map from the packet path
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Mar 20 11:46:28 CET 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1736
--- Comment #4 from dinhtrason at gmail.com ---
> Are you fully using the 32 bits in the mark _only_ for masquerading?
No, masquerading takes one bit of the packet mark. The location of the bit
however is not fixed (i.e. it is a configuration option), making the usage of
meta mark is even more difficult.
You can refer to masqueradeBit in the link for more details.
https://kubernetes.io/docs/reference/config-api/kube-proxy-config.v1alpha1/#kubeproxy-config-k8s-io-v1alpha1-KubeProxyNFTablesConfiguration
>
> If you use conntrack, then can you use connlabel?
>
No, conntrack is not used in the context of this chain.
>
> I don't have access to your ruleset, I would need a sketch ruleset of you to
> understand better what you are trying to do and make better suggestions.
>
> Thanks.
You can refer to the snippet of ruleset highlighted in k8s's pull request for
more details.
https://github.com/kubernetes/kubernetes/pull/123168#issuecomment-1931674294
Note that: I use the trick "ip daddr set ip saddr map
@affinityMapToEP-DBUHUTQG-default/alpine-service/tcp/iperf" instead of meta
mark in this example. That works fine for this use-case, but it is not a
recommended solution from the community.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240320/ddcceb5e/attachment.html>
More information about the netfilter-buglog
mailing list