[Bug 1736] nftables - dynamic update for verdict map from the packet path
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Mar 20 13:01:57 CET 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1736
--- Comment #7 from dinhtrason at gmail.com ---
> Can you use the conntrack mark (instead of the packet mark)?
>
> Looking at your ruleset, that makes sense to me, because this also allows to
> debug via `conntrack -L' what endpoint has being selected for a given flow,
> also for netfilter logging as well as `conntrack -E' for event reporting.
>
> You do use conntrack, because I can see 'dnat to' is used in your ruleset
> after the endpoint is selected based on the affinity, note that the stateful
> NAT engine requires conntrack.
>
That makes sense.
> I have attached a sketch ruleset I build from your link, I mangled it to use
> ct mark.
Thanks for your quick reply. I'll give it a try.
> vm-001 ~ # nft --file /tmp/test.txt
> /tmp/test.txt:17:70-73: Error: syntax error, unexpected vmap
> add rule ip loadbalancer service-ABC ip saddr map @affinity-mappings vmap @epToChain
BTW, I had a commit to support the case. Could you please let me know how I can
send the patch? I refer to the guide
https://wiki.nftables.org/wiki-nftables/index.php/Portal:DeveloperDocs/Patch_submission_guidelines,
but could not see the email address that I can send the patch to.
Thanks!
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240320/2935a166/attachment.html>
More information about the netfilter-buglog
mailing list