[Bug 1736] nftables - dynamic update for verdict map from the packet path
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Mar 21 11:41:33 CET 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1736
Simon G. Trajkovski <neuroarmitage at proton.me> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |neuroarmitage at proton.me
--- Comment #10 from Simon G. Trajkovski <neuroarmitage at proton.me> ---
Thanks for simplifying the ruleset.
Looking at your previous ruleset snippet, it looks like the goal is to find the
endpoint for DNAT?
If so, then something like this should be fine?
table ip loadbalancer {
map affinity-mappings {
type ipv4_addr : ipv4_addr
size 65535
flags dynamic,timeout
timeout 4m
elements = { 192.168.0.156 timeout 4m expires 3m59s996ms :
11.0.2.2, 192.168.0.211 timeout 4m expires 3m56s64ms : 11.0.2.1,
192.168.10.254 timeout 4m expires 3m53s974ms :
11.0.2.2 }
}
map epToChain {
type ipv4_addr : verdict
elements = { 11.0.2.1 : goto endpoint-1, 11.0.2.2 : goto
endpoint-2 }
}
chain endpoint-1 {
counter packets 2 bytes 224
update @affinity-mappings { ip saddr : 11.0.2.1 }
meta l4proto tcp dnat to 11.0.2.1 : 5001
}
chain endpoint-2 {
counter packets 203 bytes 11940
update @affinity-mappings { ip saddr : 11.0.2.2 }
meta l4proto tcp dnat to 11.0.2.2 : 5001
}
chain service-ABC {
meta l4proto tcp dnat to ip saddr map @affinity-mappings : 5001
numgen random mod 2 vmap { 0 : goto endpoint-1, 1 : goto
endpoint-2 }
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
goto service-ABC
}
}
note that the relevant part is:
meta l4proto tcp dnat to ip saddr map @affinity-mappings : 5001
numgen random mod 2 vmap { 0 : goto endpoint-1, 1 : goto
endpoint-2 }
look up for an existing affinity mapping, it exists, use it for dnat.
Otherwise, update the affinity map and set dnat.
You can combine dnat with map lookups, it is also possible to use
concatenations, such as 11.0.2.1 . 5001 in the affinity map.
(I am all the time assuming port 5001 is the destination port, as in your
previous snippet).
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240321/2591f104/attachment.html>
More information about the netfilter-buglog
mailing list