<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - nftables - dynamic update for verdict map from the packet path"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1736#c12">Comment # 12</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - nftables - dynamic update for verdict map from the packet path"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1736">bug 1736</a>
from <span class="vcard"><a class="email" href="mailto:dinhtrason@gmail.com" title="dinhtrason@gmail.com">dinhtrason@gmail.com</a>
</span></b>
<pre><span class="quote">> Looking at your previous ruleset snippet, it looks like the goal is to find
> the endpoint for DNAT?
>
> If so, then something like this should be fine?
> </span >
Many thanks for your suggestion and the clear example!
Yes, the ultimate goal of these chains are handling session affinity and doing
DNAT to the correct target's endpoint eventually based on the cached source IP.
<span class="quote">> note that the relevant part is:
>
> meta l4proto tcp dnat to ip saddr map @affinity-mappings :
> 5001
> look up for an existing affinity mapping, it exists, use it for dnat.
>
> Otherwise, update the affinity map and set dnat.</span >
I was not aware that nft supports the syntax that directly DNAT to a port after
a map lookup. It works for my test at least.
The rule however does not refresh timeout of the cached source ip stored in the
map affinity-mappings for subsequence packets from the same session like what
the rule "update @affinity-mappings ..." in the endpoint-1/2 does.
Do you have any idea how to do that with the new ruleset?
Thanks!</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>