All of lore.kernel.org
 help / color / mirror / Atom feed
* About nftable nat rule
@ 2017-05-24  8:40 Zheng konia
  2017-05-24  9:07 ` Arturo Borrero Gonzalez
  0 siblings, 1 reply; 6+ messages in thread
From: Zheng konia @ 2017-05-24  8:40 UTC (permalink / raw)
  To: netfilter

Hi,

   I am tranferring Iptables-nat to nftables-nat for testing the nat
forwarding efficiency. However, I have some doubles, hope you can help
me.


  nft add rule nat prerouting tcp dport 80  dnat  192.168.1.100:4040
  nft add rule nat prerouting tcp dport 80  dnat  192.168.1.100:4050
  nft add rule nat prerouting tcp dport 80  dnat  192.168.1.100:4060
  nft add rule nat prerouting tcp dport 80  dnat  192.168.1.100:4070
  ...

  How can I put these rules in one to get load balacne? I have tried
bellow, not work.

 nft add rule nat prerouting tcp dport 80  dnat  192.168.1.100 :
{4040, 4050, 4060, 4070}  persistent

 or using jhash


 nft add rule nat prerouting tcp dport 80  dnat  192.168.1.100 :
jhash ip saddr . tcp dport mod 4 map {0 : 4040, 1 : 4050, 2 : 4060, 3
: 4070}


 Can you show me how to do that? Thanks.



Konia Zheng
2017.05.24

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: About nftable nat rule
  2017-05-24  8:40 About nftable nat rule Zheng konia
@ 2017-05-24  9:07 ` Arturo Borrero Gonzalez
  2017-05-24  9:30   ` Zheng konia
  0 siblings, 1 reply; 6+ messages in thread
From: Arturo Borrero Gonzalez @ 2017-05-24  9:07 UTC (permalink / raw)
  To: Zheng konia; +Cc: Netfilter Users Mailing list

On 24 May 2017 at 10:40, Zheng konia <konianet@gmail.com> wrote:
>
>  Can you show me how to do that? Thanks.
>

Please read the docs:

https://wiki.nftables.org/wiki-nftables/index.php/Load_balancing
https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)
https://wiki.nftables.org/wiki-nftables/index.php/Multiple_NATs_using_nftables_maps

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: About nftable nat rule
  2017-05-24  9:07 ` Arturo Borrero Gonzalez
@ 2017-05-24  9:30   ` Zheng konia
  2017-05-24  9:49     ` Arturo Borrero Gonzalez
  0 siblings, 1 reply; 6+ messages in thread
From: Zheng konia @ 2017-05-24  9:30 UTC (permalink / raw)
  To: Arturo Borrero Gonzalez; +Cc: Netfilter Users Mailing list

Hi, I do have read your wiki.

However, there's less example about DNAT --to-destination-port range.
You do have examples about to different destination, while I am
looking for the different destination-port balance.

Any suggestion?

2017-05-24 17:07 GMT+08:00 Arturo Borrero Gonzalez <arturo@debian.org>:
> On 24 May 2017 at 10:40, Zheng konia <konianet@gmail.com> wrote:
>>
>>  Can you show me how to do that? Thanks.
>>
>
> Please read the docs:
>
> https://wiki.nftables.org/wiki-nftables/index.php/Load_balancing
> https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)
> https://wiki.nftables.org/wiki-nftables/index.php/Multiple_NATs_using_nftables_maps

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: About nftable nat rule
  2017-05-24  9:30   ` Zheng konia
@ 2017-05-24  9:49     ` Arturo Borrero Gonzalez
  2017-05-24 10:44       ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: Arturo Borrero Gonzalez @ 2017-05-24  9:49 UTC (permalink / raw)
  To: Zheng konia; +Cc: Netfilter Users Mailing list

On 24 May 2017 at 11:30, Zheng konia <konianet@gmail.com> wrote:
> Hi, I do have read your wiki.
>
> However, there's less example about DNAT --to-destination-port range.
> You do have examples about to different destination, while I am
> looking for the different destination-port balance.
>
> Any suggestion?
>

Try something like this:

nft add rule t c ip protocol tcp dnat to 192.168.1.100 : numgen inc
mod 2 map { 0 : 4040 , 1 : 4050 }
(i.e, the destination address doesn't change, but port does)


We can update the wiki if that works.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: About nftable nat rule
  2017-05-24  9:49     ` Arturo Borrero Gonzalez
@ 2017-05-24 10:44       ` Pablo Neira Ayuso
  2017-05-24 11:34         ` Arturo Borrero Gonzalez
  0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2017-05-24 10:44 UTC (permalink / raw)
  To: Arturo Borrero Gonzalez; +Cc: Zheng konia, Netfilter Users Mailing list

On Wed, May 24, 2017 at 11:49:04AM +0200, Arturo Borrero Gonzalez wrote:
> On 24 May 2017 at 11:30, Zheng konia <konianet@gmail.com> wrote:
> > Hi, I do have read your wiki.
> >
> > However, there's less example about DNAT --to-destination-port range.
> > You do have examples about to different destination, while I am
> > looking for the different destination-port balance.
> >
> > Any suggestion?
> >
> 
> Try something like this:
> 
> nft add rule t c ip protocol tcp dnat to 192.168.1.100 : numgen inc
> mod 2 map { 0 : 4040 , 1 : 4050 }
> (i.e, the destination address doesn't change, but port does)
> 
> We can update the wiki if that works.

BTW, depending on your environment, you may want to use a stateless
NAT approach too that should be faster, eg.

nft add rule t c ip protocol ip daddr set 192.168.1.100 \
        tcp dport set numgen inc mod 2 map { 0 : 4040 , 1 : 4050 }

This requires a recent Linux kernel though.

Note: Beware with stateless NAT, it only works with 1:1 mappings, it's
easy to shoot yourself on your own feet... Otherwise, stick to the
stateful approach.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: About nftable nat rule
  2017-05-24 10:44       ` Pablo Neira Ayuso
@ 2017-05-24 11:34         ` Arturo Borrero Gonzalez
  0 siblings, 0 replies; 6+ messages in thread
From: Arturo Borrero Gonzalez @ 2017-05-24 11:34 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: Zheng konia, Netfilter Users Mailing list

On 24 May 2017 at 12:44, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Note: Beware with stateless NAT, it only works with 1:1 mappings, it's
> easy to shoot yourself on your own feet... Otherwise, stick to the
> stateful approach.

Just updated the wiki to add this information:

https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Stateless_NAT
https://wiki.nftables.org/wiki-nftables/index.php/Load_balancing

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-05-24 11:34 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-24  8:40 About nftable nat rule Zheng konia
2017-05-24  9:07 ` Arturo Borrero Gonzalez
2017-05-24  9:30   ` Zheng konia
2017-05-24  9:49     ` Arturo Borrero Gonzalez
2017-05-24 10:44       ` Pablo Neira Ayuso
2017-05-24 11:34         ` Arturo Borrero Gonzalez

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.