[Bug 1736] nftables - dynamic update for verdict map from the packet path

Wed Mar 20 13:17:27 CET 2024

https://bugzilla.netfilter.org/show_bug.cgi?id=1736

--- Comment #8 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to dinhtrason from comment #7)
> > Can you use the conntrack mark (instead of the packet mark)?
> > 
> > Looking at your ruleset, that makes sense to me, because this also allows to
> > debug via `conntrack -L' what endpoint has being selected for a given flow,
> > also for netfilter logging as well as `conntrack -E' for event reporting.
> > 
> > You do use conntrack, because I can see 'dnat to' is used in your ruleset
> > after the endpoint is selected based on the affinity, note that the stateful
> > NAT engine requires conntrack.
> > 
> 
> That makes sense. 

BTW, you probably want to reserve ct mark == 0 for flow which is not yet pinned
to an endpoint, which is the initial value for the conntrack mark anyway when
the flow is created. Then, you have to adjust maps.

Note that numgen random allows for offset, you could even try to make the ct
mark unique, that is, ensure that each service has its own ct mark space. This
goes with the idea of allowing you to use the existing conntrack userspace tool
and as well netfilter logging to debug issues (eg. a flow going somewhere it
should not).

> > I have attached a sketch ruleset I build from your link, I mangled it to use
> > ct mark.
> 
> Thanks for your quick reply. I'll give it a try.
> 
> 
> > vm-001 ~ # nft --file /tmp/test.txt
> > /tmp/test.txt:17:70-73: Error: syntax error, unexpected vmap
> > add rule ip loadbalancer service-ABC ip saddr map @affinity-mappings vmap @epToChain
> 
> BTW, I had a commit to support the case. Could you please let me know how I
> can send the patch? I refer to the guide
> https://wiki.nftables.org/wiki-nftables/index.php/Portal:DeveloperDocs/
> Patch_submission_guidelines, but could not see the email address that I can
> send the patch to.

You mean you would like to support for map lookup then use the result as input
for another verdict map lookup?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240320/10ae42cd/attachment.html>