<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - nftables - dynamic update for verdict map from the packet path"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1736">1736</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>nftables - dynamic update for verdict map from the packet path
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>1.0.x
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>nft
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>dinhtrason@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>I'm not sure if this is a bug or a feature, not yet implemented.
I am trying to use a verdict map to associate a client to a chain to implement
the session affinity function for my load balancer.
The map is defined with the dynamic and timeout flag. I plan to add source
address of new client retrieved from the packet path to a map with the `update
@` action like below
add table ip loadbalancer
add map ip loadbalancer epToChain { type ipv4_addr : verdict ; flags
dynamic,timeout ; timeout 4m ;}
add chain ip loadbalancer service-ABC
add rule ip loadbalancer service-ABC ip saddr vmap @epToChain
add chain ip loadbalancer endpoint-1
add rule ip loadbalancer endpoint-1 update @epToChain { ip saddr : goto
endpoint-1 }
add chain ip loadbalancer endpoint-2
add rule ip loadbalancer endpoint-2 update @epToChain { ip saddr : goto
endpoint-2 }
But I got the error below with nft 1.0.8
---
vm-001 ~ # nft --file /tmp/test.txt
/tmp/test.txt:6:68-71: Error: syntax error, unexpected goto
add rule ip loadbalancer endpoint-1 update @epToChain { ip saddr : goto
endpoint-1 }
^^^^
/tmp/test.txt:9:68-71: Error: syntax error, unexpected goto
add rule ip loadbalancer endpoint-2 update @epToChain { ip saddr : goto
endpoint-2 }
^^^^
vm-001 ~ # nft -v
nftables v1.0.8 (Old Doc Yak #2)
vm-001 ~ # uname -a
Linux vm-001 5.9.1 #32 SMP Thu Jan 14 09:40:07 CET 2021 x86_64 GNU/Linux
---
As a verdict map looks similar to a map or set from user configuration
perspective, it would be nice to have the same support of dynamic update from
the packet path for verdict map as set and map.
I also tried to use another map instead of the verdict map as a workaround, but
got another error (see below).
---
add table ip loadbalancer
add map ip loadbalancer affinity-mappings { type ipv4_addr : ipv4_addr ; flags
dynamic,timeout ; timeout 4m ; }
add map ip loadbalancer epToChain { type ipv4_addr : verdict ; }
add chain ip loadbalancer endpoint-1
add chain ip loadbalancer endpoint-2
add rule ip loadbalancer endpoint-1 update @affinity-mappings { ip saddr :
11.0.2.1 }
add rule ip loadbalancer endpoint-2 update @affinity-mappings { ip saddr :
11.0.2.2 }
add element ip loadbalancer epToChain { 11.0.2.1 : goto endpoint-1, 11.0.2.2 :
goto endpoint-2 }
add element ip loadbalancer affinity-mappings { 192.168.0.1 : 11.0.2.1 }
add chain ip loadbalancer service-ABC
add rule ip loadbalancer service-ABC ip saddr map @affinity-mappings vmap
@epToChain
vm-001 ~ # nft --file /tmp/test.txt
/tmp/test.txt:17:70-73: Error: syntax error, unexpected vmap
add rule ip loadbalancer service-ABC ip saddr map @affinity-mappings vmap
@epToChain
^^^^
---
Is it considered a bug or a new feature that will be fixed in the next nftables
version?
Is there any other alternatives for this issue with the latest nft version?</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>