[Bug 1736] nftables - dynamic update for verdict map from the packet path
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Mar 21 13:31:11 CET 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1736
--- Comment #12 from dinhtrason at gmail.com ---
> Looking at your previous ruleset snippet, it looks like the goal is to find
> the endpoint for DNAT?
>
> If so, then something like this should be fine?
>
Many thanks for your suggestion and the clear example!
Yes, the ultimate goal of these chains are handling session affinity and doing
DNAT to the correct target's endpoint eventually based on the cached source IP.
> note that the relevant part is:
>
> meta l4proto tcp dnat to ip saddr map @affinity-mappings :
> 5001
> look up for an existing affinity mapping, it exists, use it for dnat.
>
> Otherwise, update the affinity map and set dnat.
I was not aware that nft supports the syntax that directly DNAT to a port after
a map lookup. It works for my test at least.
The rule however does not refresh timeout of the cached source ip stored in the
map affinity-mappings for subsequence packets from the same session like what
the rule "update @affinity-mappings ..." in the endpoint-1/2 does.
Do you have any idea how to do that with the new ruleset?
Thanks!
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240321/42912b91/attachment.html>
More information about the netfilter-buglog
mailing list