[Bug 1736] nftables - dynamic update for verdict map from the packet path
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Mon Mar 25 11:59:12 CET 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1736
--- Comment #14 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to dinhtrason from comment #13)
> I did not even think about the race condition. Thanks for highlighting this
> special case.
table ip loadbalancer {
map affinity-mappings {
type ipv4_addr : ipv4_addr
size 65535
flags dynamic,timeout
timeout 4m
}
chain candidate-endpoint-1 {
update @affinity-mappings { ip saddr counter : 11.0.2.1 }
}
chain candidate-endpoint-2 {
update @affinity-mappings { ip saddr counter : 11.0.2.2 }
}
chain service-ABC {
numgen random mod 2 vmap { 0 : goto candidate-endpoint-1, 1 :
goto candidate-endpoint-2 }
meta l4proto tcp dnat to ip saddr map @affinity-mappings : 5001
}
}
The idea is:
1) Update/refresh the mapping first. If the mapping already exists, refresh the
timeout for such existing mapping, note that the existing mapping is left as is
if it exists (update does not override an existing mapping). If the mapping
does not exist, then the new mapping entry gets added.
2) Then, look up for the DNAT mapping.
BTW; I have placed counters after the key in the update statement, then update
bumps the corresponding counters for the existing/new mapping in your
@affinity-mapping.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240325/e13ecb58/attachment-0001.html>
More information about the netfilter-buglog
mailing list