From: Phil Sutter <phil@nwl.cc>
To: "Serguei Bezverkhi (sbezverk)" <sbezverk@cisco.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Florian Westphal <fw@strlen.de>,
"netfilter-devel@vger.kernel.org"
<netfilter-devel@vger.kernel.org>
Subject: Re: Operation not supported when adding jump command
Date: Tue, 26 Nov 2019 23:15:18 +0100 [thread overview]
Message-ID: <20191126221518.GF8016@orbyte.nwl.cc> (raw)
In-Reply-To: <AC4B6BFD-30FA-4A62-AD3C-3EB37029EC1B@cisco.com>
Hi,
On Tue, Nov 26, 2019 at 09:20:20PM +0000, Serguei Bezverkhi (sbezverk) wrote:
> It almost worked ( Check this out:
> sudo nft list table ipv4table
> table ip ipv4table {
> set no-endpoint-svc-ports {
> type inet_service
> elements = { 8080, 8989 }
> }
>
> set no-endpoint-svc-addrs {
> type ipv4_addr
> flags interval
> elements = { 10.1.1.1, 10.1.1.2}
> }
>
> chain input-net {
> type nat hook input priority filter; policy accept;
> jump services
> }
>
> chain input-local {
> type nat hook output priority filter; policy accept;
> jump services
> }
>
> chain services {
> ip daddr @no-endpoint-svc-addrs tcp dport @no-endpoint-svc-ports reject with tcp reset
> ip daddr @no-endpoint-svc-addrs udp dport @no-endpoint-svc-ports reject with icmp type net-unreachable
> }
>
> chain svc1-endpoint-1 {
> ip protocol tcp dnat to 12.1.1.1:8080
> }
>
> chain svc1-endpoint-2 {
> ip protocol tcp dnat to 12.1.1.2:8080
> }
>
> chain svc2-endpoint-1 {
> ip protocol tcp dnat to 12.1.1.3:8090
> }
>
> chain svc2-endpoint-2 {
> ip protocol tcp dnat to 12.1.1.4:8090
> }
>
> chain svc1 {
> }
>
> chain svc2 {
> }
>
> chain prerouting {
> type nat hook prerouting priority filter; policy accept;
> ip daddr 1.1.1.1 tcp dport 88 numgen random mod 2 vmap { 0 : jump svc1-endpoint-1, 1 : jump svc1-endpoint-2 }
> ip daddr 2.2.2.2 tcp dport 99 numgen random mod 2 vmap { 0 : jump svc2-endpoint-1, 1 : jump svc2-endpoint-2 }
> }}
>
> Ideally I need to apply this rule " numgen random mod 2 vmap { 0 : jump svc1-endpoint-1, 1 : jump svc1-endpoint-2 }" to svc1 and svc2 chains to load balance between services' endpoints but when I do that it fails with Unsupported operation.
> In contrast it let me apply this rule to prerouting chain.
I don't see where you jump to svc1/svc2 so this is a bit of guesswork.
Anyway, please keep in mind that dnat is only supported from nat (and
prerouting or output).
> This split support of reject in input/forward/output and numgen only in prerouting is not ideal as a packet for a client of a service without registered endpoint will need to go through all checks in prerouting chain before it reaches input chain and get its reject back.
As said, it is dnat which is limited to prerouting. Numgen itself works
everywhere. If there is a known criteria identifying a client without
registered endpoint, you could match on that and 'accept' early in
prerouting. This will make the packet go to input/forward directly
without traversing the remaining prerouting rules.
Cheers, Phil
next prev parent reply other threads:[~2019-11-26 22:15 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-25 18:55 Operation not supported when adding jump command Serguei Bezverkhi (sbezverk)
2019-11-26 12:21 ` Florian Westphal
2019-11-26 14:30 ` Serguei Bezverkhi (sbezverk)
2019-11-26 14:52 ` Florian Westphal
2019-11-26 15:38 ` Pablo Neira Ayuso
2019-11-26 15:47 ` Serguei Bezverkhi (sbezverk)
2019-11-26 15:51 ` Phil Sutter
2019-11-26 18:47 ` Serguei Bezverkhi (sbezverk)
2019-11-26 19:27 ` Phil Sutter
2019-11-26 21:20 ` Serguei Bezverkhi (sbezverk)
2019-11-26 22:15 ` Phil Sutter [this message]
2019-11-27 10:11 ` Arturo Borrero Gonzalez
2019-11-27 11:57 ` Phil Sutter
2019-11-27 14:36 ` Serguei Bezverkhi (sbezverk)
2019-11-27 15:08 ` Phil Sutter
2019-11-27 15:35 ` Serguei Bezverkhi (sbezverk)
2019-11-27 16:06 ` Phil Sutter
2019-11-27 16:50 ` Serguei Bezverkhi (sbezverk)
2019-11-27 17:22 ` Phil Sutter
2019-11-28 1:22 ` Serguei Bezverkhi (sbezverk)
2019-11-28 9:10 ` Laura Garcia
2019-11-28 11:58 ` Serguei Bezverkhi (sbezverk)
2019-11-28 13:08 ` Phil Sutter
2019-11-28 13:34 ` Serguei Bezverkhi (sbezverk)
2019-11-28 14:51 ` Serguei Bezverkhi (sbezverk)
2019-11-28 15:15 ` Phil Sutter
2019-11-29 20:13 ` Serguei Bezverkhi (sbezverk)
2019-11-30 0:04 ` Phil Sutter
2019-12-03 18:43 ` Serguei Bezverkhi (sbezverk)
2019-12-04 10:36 ` Phil Sutter
2019-12-03 23:50 ` Duncan Roe
2019-12-04 1:13 ` [PATCH nft] doc: Clarify conditions under which a reject verdict is permissible Duncan Roe
2019-12-06 2:37 ` [PATCH nft v2] " Duncan Roe
2019-12-06 6:55 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191126221518.GF8016@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sbezverk@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.