[Bug 1736] New: nftables - dynamic update for verdict map from the packet path
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue Feb 13 11:34:36 CET 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1736
Bug ID: 1736
Summary: nftables - dynamic update for verdict map from the
packet path
Product: nftables
Version: 1.0.x
Hardware: x86_64
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: dinhtrason at gmail.com
I'm not sure if this is a bug or a feature, not yet implemented.
I am trying to use a verdict map to associate a client to a chain to implement
the session affinity function for my load balancer.
The map is defined with the dynamic and timeout flag. I plan to add source
address of new client retrieved from the packet path to a map with the `update
@` action like below
add table ip loadbalancer
add map ip loadbalancer epToChain { type ipv4_addr : verdict ; flags
dynamic,timeout ; timeout 4m ;}
add chain ip loadbalancer service-ABC
add rule ip loadbalancer service-ABC ip saddr vmap @epToChain
add chain ip loadbalancer endpoint-1
add rule ip loadbalancer endpoint-1 update @epToChain { ip saddr : goto
endpoint-1 }
add chain ip loadbalancer endpoint-2
add rule ip loadbalancer endpoint-2 update @epToChain { ip saddr : goto
endpoint-2 }
But I got the error below with nft 1.0.8
---
vm-001 ~ # nft --file /tmp/test.txt
/tmp/test.txt:6:68-71: Error: syntax error, unexpected goto
add rule ip loadbalancer endpoint-1 update @epToChain { ip saddr : goto
endpoint-1 }
^^^^
/tmp/test.txt:9:68-71: Error: syntax error, unexpected goto
add rule ip loadbalancer endpoint-2 update @epToChain { ip saddr : goto
endpoint-2 }
^^^^
vm-001 ~ # nft -v
nftables v1.0.8 (Old Doc Yak #2)
vm-001 ~ # uname -a
Linux vm-001 5.9.1 #32 SMP Thu Jan 14 09:40:07 CET 2021 x86_64 GNU/Linux
---
As a verdict map looks similar to a map or set from user configuration
perspective, it would be nice to have the same support of dynamic update from
the packet path for verdict map as set and map.
I also tried to use another map instead of the verdict map as a workaround, but
got another error (see below).
---
add table ip loadbalancer
add map ip loadbalancer affinity-mappings { type ipv4_addr : ipv4_addr ; flags
dynamic,timeout ; timeout 4m ; }
add map ip loadbalancer epToChain { type ipv4_addr : verdict ; }
add chain ip loadbalancer endpoint-1
add chain ip loadbalancer endpoint-2
add rule ip loadbalancer endpoint-1 update @affinity-mappings { ip saddr :
11.0.2.1 }
add rule ip loadbalancer endpoint-2 update @affinity-mappings { ip saddr :
11.0.2.2 }
add element ip loadbalancer epToChain { 11.0.2.1 : goto endpoint-1, 11.0.2.2 :
goto endpoint-2 }
add element ip loadbalancer affinity-mappings { 192.168.0.1 : 11.0.2.1 }
add chain ip loadbalancer service-ABC
add rule ip loadbalancer service-ABC ip saddr map @affinity-mappings vmap
@epToChain
vm-001 ~ # nft --file /tmp/test.txt
/tmp/test.txt:17:70-73: Error: syntax error, unexpected vmap
add rule ip loadbalancer service-ABC ip saddr map @affinity-mappings vmap
@epToChain
^^^^
---
Is it considered a bug or a new feature that will be fixed in the next nftables
version?
Is there any other alternatives for this issue with the latest nft version?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240213/cc726786/attachment.html>
More information about the netfilter-buglog
mailing list