From: sbezverk <sbezverk@gmail.com>
To: Florian Westphal <fw@strlen.de>
Cc: Phil Sutter <phil@nwl.cc>,
"netfilter-devel@vger.kernel.org"
<netfilter-devel@vger.kernel.org>
Subject: Re: load balancing between two chains
Date: Mon, 20 Jan 2020 17:07:49 -0500 [thread overview]
Message-ID: <D2179763-BA51-4DA2-AA97-16CD2DA8FF2C@gmail.com> (raw)
In-Reply-To: <20200120220012.GH795@breakpoint.cc>
Here you go:
sbezverk@kube-4:~$ sudo nft --debug=netlink list ruleset
ip kube-nfproxy-v4 filter-input 23
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ immediate reg 0 jump -> k8s-filter-services ]
userdata = {
ip kube-nfproxy-v4 filter-input 24 23
[ immediate reg 0 jump -> k8s-filter-firewall ]
userdata = {
ip kube-nfproxy-v4 filter-output 27
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ immediate reg 0 jump -> k8s-filter-services ]
userdata = {
ip kube-nfproxy-v4 filter-output 28 27
[ immediate reg 0 jump -> k8s-filter-firewall ]
userdata = {
ip kube-nfproxy-v4 filter-forward 25
[ immediate reg 0 jump -> k8s-filter-forward ]
userdata = {
ip kube-nfproxy-v4 filter-forward 26 25
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ immediate reg 0 jump -> k8s-filter-services ]
userdata = {
ip kube-nfproxy-v4 k8s-filter-firewall 29
[ meta load mark => reg 1 ]
[ cmp eq reg 1 0x00008000 ]
[ immediate reg 0 drop ]
userdata = {
ip kube-nfproxy-v4 k8s-filter-services 35
[ payload load 1b @ network header + 9 => reg 1 ]
[ payload load 4b @ network header + 16 => reg 9 ]
[ payload load 2b @ transport header + 2 => reg 10 ]
[ lookup reg 1 set no-endpoints dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-filter-forward 30
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000001 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ immediate reg 0 drop ]
userdata = {
ip kube-nfproxy-v4 k8s-filter-forward 31 30
[ meta load mark => reg 1 ]
[ cmp eq reg 1 0x00004000 ]
[ immediate reg 0 accept ]
userdata = {
ip kube-nfproxy-v4 k8s-filter-forward 32 31
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000f0ff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00007039 ]
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000006 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ immediate reg 0 accept ]
userdata = {
ip kube-nfproxy-v4 k8s-filter-forward 33 32
[ payload load 4b @ network header + 16 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000f0ff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00007039 ]
[ ct load state => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000006 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
[ immediate reg 0 accept ]
userdata = {
ip kube-nfproxy-v4 k8s-filter-do-reject 34
[ reject type 0 code 1 ]
userdata = {
ip kube-nfproxy-v4 nat-preroutin 36
[ immediate reg 0 jump -> k8s-nat-services ]
userdata = {
ip kube-nfproxy-v4 nat-output 37
[ immediate reg 0 jump -> k8s-nat-services ]
userdata = {
ip kube-nfproxy-v4 nat-postrouting 38
[ immediate reg 0 jump -> k8s-nat-postrouting ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-mark-drop 39
[ immediate reg 1 0x00008000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-do-mark-masq 47
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
[ immediate reg 0 return ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-mark-masq 48
[ payload load 1b @ network header + 9 => reg 1 ]
[ payload load 4b @ network header + 16 => reg 9 ]
[ payload load 2b @ transport header + 2 => reg 10 ]
[ lookup reg 1 set do-mark-masq dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-mark-masq 49 48
[ immediate reg 0 return ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-services 41
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000f0ff ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00007039 ]
[ immediate reg 0 jump -> k8s-nat-mark-masq ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-services 42 41
[ payload load 1b @ network header + 9 => reg 1 ]
[ payload load 4b @ network header + 16 => reg 9 ]
[ payload load 2b @ transport header + 2 => reg 10 ]
[ lookup reg 1 set cluster-ip dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-services 43 42
[ payload load 1b @ network header + 9 => reg 1 ]
[ payload load 4b @ network header + 16 => reg 9 ]
[ payload load 2b @ transport header + 2 => reg 10 ]
[ lookup reg 1 set external-ip dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-services 44 43
[ payload load 1b @ network header + 9 => reg 1 ]
[ payload load 4b @ network header + 16 => reg 9 ]
[ payload load 2b @ transport header + 2 => reg 10 ]
[ lookup reg 1 set loadbalancer-ip dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-services 45 44
[ fib daddr type => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ immediate reg 0 jump -> k8s-nat-nodeports ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-nodeports 46
[ payload load 1b @ network header + 9 => reg 1 ]
[ payload load 2b @ transport header + 2 => reg 9 ]
[ lookup reg 1 set nodeports dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nat-postrouting 40
[ meta load mark => reg 1 ]
[ cmp eq reg 1 0x00004000 ]
[ masq flags 0xc ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-Z2V2H34MNX3I6O2G 112
[ numgen reg 1 = inc mod 2 ]
[ lookup reg 1 set __map2 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-Z2V2H34MNX3I6O2G 59 112
[ counter pkts 1 bytes 60 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-WTQR35QT3M6PVG5X 54
[ counter pkts 3 bytes 180 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-WTQR35QT3M6PVG5X 55 54
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x6850a8c0 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-WTQR35QT3M6PVG5X 56 55
[ immediate reg 1 0x6850a8c0 ]
[ immediate reg 2 0x00002b19 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-WTQR35QT3M6PVG5X 108 56
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-WTQR35QT3M6PVG5X 109 108
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x6850a8c0 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-WTQR35QT3M6PVG5X 110 109
[ immediate reg 1 0x6850a8c0 ]
[ immediate reg 2 0x00002b19 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-M53CN2XYVUHRQ7UB 170
[ numgen reg 1 = inc mod 3 ]
[ lookup reg 1 set __map5 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-M53CN2XYVUHRQ7UB 76 170
[ counter pkts 4 bytes 240 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-PL4AZP3AKMRCVEEV 101
[ numgen reg 1 = inc mod 2 ]
[ lookup reg 1 set __map1 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-PL4AZP3AKMRCVEEV 83 101
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-F3FYSUNEU5GRF2PR 67
[ counter pkts 156 bytes 9360 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-F3FYSUNEU5GRF2PR 68 67
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x27007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-F3FYSUNEU5GRF2PR 69 68
[ immediate reg 1 0x27007039 ]
[ immediate reg 2 0x0000911f ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-TMVEFT7EX55F4T62 71
[ counter pkts 3 bytes 180 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-TMVEFT7EX55F4T62 72 71
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x29007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-TMVEFT7EX55F4T62 73 72
[ immediate reg 1 0x29007039 ]
[ immediate reg 2 0x0000901f ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-UOK7V3LF34NNNXJK 78
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-UOK7V3LF34NNNXJK 79 78
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x29007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-UOK7V3LF34NNNXJK 80 79
[ immediate reg 1 0x29007039 ]
[ immediate reg 2 0x00009a1f ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-ZQKXCYOBISQCSH6Q 124
[ numgen reg 1 = inc mod 1 ]
[ lookup reg 1 set __map4 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-ZQKXCYOBISQCSH6Q 125 124
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-GTJ7BFLUOQRCGMD5 88
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-GTJ7BFLUOQRCGMD5 89 88
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x34007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-GTJ7BFLUOQRCGMD5 90 89
[ immediate reg 1 0x34007039 ]
[ immediate reg 2 0x00001d23 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-MLOFX2HRWDMEIJ2C 138
[ numgen reg 1 = inc mod 2 ]
[ lookup reg 1 set __map6 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-MLOFX2HRWDMEIJ2C 132 138
[ counter pkts 1597 bytes 126466 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-AB4FZJCEEYJGUR7G 97
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-AB4FZJCEEYJGUR7G 98 97
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x34007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-AB4FZJCEEYJGUR7G 99 98
[ immediate reg 1 0x34007039 ]
[ immediate reg 2 0x00002623 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-BKEZZE5BBBAFLJMD 151
[ numgen reg 1 = inc mod 2 ]
[ lookup reg 1 set __map7 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-BKEZZE5BBBAFLJMD 145 151
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-XZFCNG333PM4X5VI 164
[ numgen reg 1 = inc mod 2 ]
[ lookup reg 1 set __map8 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-XZFCNG333PM4X5VI 158 164
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-ALEQQYFAJOE576GL 117
[ numgen reg 1 = inc mod 1 ]
[ lookup reg 1 set __map0 dreg 0 0x0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-svc-ALEQQYFAJOE576GL 118 117
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-5CXJFIVYWUOH4QP5 120
[ counter pkts 1 bytes 60 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-5CXJFIVYWUOH4QP5 121 120
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x2f007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-5CXJFIVYWUOH4QP5 122 121
[ immediate reg 1 0x2f007039 ]
[ immediate reg 2 0x0000bb01 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-ZLBUKWY4CZE4VBQ6 127
[ counter pkts 1597 bytes 127401 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-ZLBUKWY4CZE4VBQ6 128 127
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x2a007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-ZLBUKWY4CZE4VBQ6 129 128
[ immediate reg 1 0x2a007039 ]
[ immediate reg 2 0x00003500 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-L7QM2ZN4KU2U3Y7S 134
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-L7QM2ZN4KU2U3Y7S 135 134
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x2b007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-L7QM2ZN4KU2U3Y7S 136 135
[ immediate reg 1 0x2b007039 ]
[ immediate reg 2 0x00003500 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-47JQSZ5IZC6OSGGT 140
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-47JQSZ5IZC6OSGGT 141 140
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x2a007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-47JQSZ5IZC6OSGGT 142 141
[ immediate reg 1 0x2a007039 ]
[ immediate reg 2 0x00003500 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-SLRAZLUBLWQJXVD6 147
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-SLRAZLUBLWQJXVD6 148 147
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x2b007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-SLRAZLUBLWQJXVD6 149 148
[ immediate reg 1 0x2b007039 ]
[ immediate reg 2 0x00003500 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-MDXSOI4QEYHXQ5TE 153
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-MDXSOI4QEYHXQ5TE 154 153
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x2a007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-MDXSOI4QEYHXQ5TE 155 154
[ immediate reg 1 0x2a007039 ]
[ immediate reg 2 0x0000c123 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-MQDIJAQHMGQYQDQC 160
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-MQDIJAQHMGQYQDQC 161 160
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x2b007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-MQDIJAQHMGQYQDQC 162 161
[ immediate reg 1 0x2b007039 ]
[ immediate reg 2 0x0000c123 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-23NTSA2UXPPQIPK4 166
[ counter pkts 0 bytes 0 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-23NTSA2UXPPQIPK4 167 166
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xffffffff ) ^ 0x00000000 ]
[ cmp eq reg 1 0x35007039 ]
[ immediate reg 1 0x00004000 ]
[ meta set mark with reg 1 ]
userdata = {
ip kube-nfproxy-v4 k8s-nfproxy-sep-23NTSA2UXPPQIPK4 168 167
[ immediate reg 1 0x35007039 ]
[ immediate reg 2 0x00005322 ]
[ nat dnat ip addr_min reg 1 addr_max reg 1 proto_min reg 2 proto_max reg 2 flags 16]
userdata = {
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
table ip kube-nfproxy-v4 {
map no-endpoints {
type inet_proto . ipv4_addr . inet_service : verdict
}
map do-mark-masq {
type inet_proto . ipv4_addr . inet_service : verdict
elements = { tcp . 57.128.0.1 . 443 : jump k8s-nat-do-mark-masq,
tcp . 57.128.0.10 . 53 : jump k8s-nat-do-mark-masq,
tcp . 57.128.0.10 . 9153 : jump k8s-nat-do-mark-masq,
tcp . 57.139.80.125 . 8081 : jump k8s-nat-do-mark-masq,
tcp . 57.141.10.218 . 443 : jump k8s-nat-do-mark-masq,
tcp . 57.141.53.140 . 808 : jump k8s-nat-do-mark-masq,
tcp . 192.168.80.104 . 808 : jump k8s-nat-do-mark-masq,
udp . 57.128.0.10 . 53 : jump k8s-nat-do-mark-masq,
udp . 57.141.53.140 . 809 : jump k8s-nat-do-mark-masq,
udp . 192.168.80.104 . 809 : jump k8s-nat-do-mark-masq }
}
map cluster-ip {
type inet_proto . ipv4_addr . inet_service : verdict
elements = { tcp . 57.128.0.1 . 443 : jump k8s-nfproxy-svc-Z2V2H34MNX3I6O2G,
tcp . 57.128.0.10 . 53 : jump k8s-nfproxy-svc-BKEZZE5BBBAFLJMD,
tcp . 57.128.0.10 . 9153 : jump k8s-nfproxy-svc-XZFCNG333PM4X5VI,
tcp . 57.139.80.125 . 8081 : jump k8s-nfproxy-svc-ALEQQYFAJOE576GL,
tcp . 57.141.10.218 . 443 : jump k8s-nfproxy-svc-ZQKXCYOBISQCSH6Q,
tcp . 57.141.53.140 . 808 : jump k8s-nfproxy-svc-M53CN2XYVUHRQ7UB,
udp . 57.128.0.10 . 53 : jump k8s-nfproxy-svc-MLOFX2HRWDMEIJ2C,
udp . 57.141.53.140 . 809 : jump k8s-nfproxy-svc-PL4AZP3AKMRCVEEV }
}
map external-ip {
type inet_proto . ipv4_addr . inet_service : verdict
elements = { tcp . 192.168.80.104 . 808 : jump k8s-nfproxy-svc-M53CN2XYVUHRQ7UB,
udp . 192.168.80.104 . 809 : jump k8s-nfproxy-svc-PL4AZP3AKMRCVEEV }
}
map loadbalancer-ip {
type inet_proto . ipv4_addr . inet_service : verdict
}
map nodeports {
type inet_proto . inet_service : verdict
elements = { tcp . 30283 : jump k8s-nfproxy-svc-ALEQQYFAJOE576GL }
}
chain filter-input {
type filter hook input priority filter; policy accept;
ct state new jump k8s-filter-services comment " jump k8s-filter-firewall comment "}
chain filter-output {
type filter hook output priority filter; policy accept;
ct state new jump k8s-filter-services
jump k8s-filter-firewall comment "}
chain filter-forward {
type filter hook forward priority filter; policy accept;
jump k8s-filter-forward
ct state new jump k8s-filter-services comment "}
chain k8s-filter-firewall {
meta mark 0x00008000 drop
}
chain k8s-filter-services {
ip protocol . ip daddr . @th,16,16 vmap @no-endpoints
}
chain k8s-filter-forward {
ct state invalid drop
meta mark 0x00004000 accept comment " ip saddr 57.112.0.0/12 ct state established,related accept
ip daddr 57.112.0.0/12 ct state established,related accept
}
chain k8s-filter-do-reject {
reject with icmp type host-unreachable
}
chain nat-preroutin {
type nat hook prerouting priority filter; policy accept;
jump k8s-nat-services
}
chain nat-output {
type nat hook output priority filter; policy accept;
jump k8s-nat-services
}
chain nat-postrouting {
type nat hook postrouting priority filter; policy accept;
jump k8s-nat-postrouting comment "}
chain k8s-nat-mark-drop {
meta mark set 0x00008000
}
chain k8s-nat-do-mark-masq {
meta mark set 0x00004000 return
}
chain k8s-nat-mark-masq {
ip protocol . ip daddr . @th,16,16 vmap @do-mark-masq
return comment ""
}
chain k8s-nat-services {
ip saddr != 57.112.0.0/12 jump k8s-nat-mark-masq
ip protocol . ip daddr . @th,16,16 vmap @cluster-ip comment " ip protocol . ip daddr . @th,16,16 vmap @external-ip
ip protocol . ip daddr . @th,16,16 vmap @loadbalancer-ip
fib daddr type local jump k8s-nat-nodeports comment "2"
}
chain k8s-nat-nodeports {
ip protocol . @th,16,16 vmap @nodeports comment ""
}
chain k8s-nat-postrouting {
meta mark 0x00004000 masquerade random,persistent comment ""
}
chain k8s-nfproxy-svc-Z2V2H34MNX3I6O2G {
numgen inc mod 2 vmap { 0 : goto k8s-nfproxy-sep-WTQR35QT3M6PVG5X, 1 : goto k8s-nfproxy-sep-WTQR35QT3M6PVG5X }
counter packets 1 bytes 60 comment ""
}
chain k8s-nfproxy-fw-Z2V2H34MNX3I6O2G {
}
chain k8s-nfproxy-xlb-Z2V2H34MNX3I6O2G {
}
chain k8s-nfproxy-sep-WTQR35QT3M6PVG5X {
counter packets 3 bytes 180 comment ""
ip saddr 192.168.80.104 meta mark set 0x00004000 comment ""
dnat to 192.168.80.104:6443 fully-random
counter packets 0 bytes 0
ip saddr 192.168.80.104 meta mark set 0x00004000 comment ""
dnat to 192.168.80.104:6443 fully-random comment ""
}
chain k8s-nfproxy-svc-M53CN2XYVUHRQ7UB {
numgen inc mod 3 vmap { 0 : goto k8s-nfproxy-sep-TMVEFT7EX55F4T62, 1 : goto k8s-nfproxy-sep-GTJ7BFLUOQRCGMD5, 2 : goto k8s-nfproxy-sep-23NTSA2UXPPQIPK4 }
counter packets 4 bytes 240 comment ""
}
chain k8s-nfproxy-fw-M53CN2XYVUHRQ7UB {
}
chain k8s-nfproxy-xlb-M53CN2XYVUHRQ7UB {
}
chain k8s-nfproxy-svc-PL4AZP3AKMRCVEEV {
numgen inc mod 2 vmap { 0 : goto k8s-nfproxy-sep-UOK7V3LF34NNNXJK, 1 : goto k8s-nfproxy-sep-AB4FZJCEEYJGUR7G }
counter packets 0 bytes 0 comment ""
}
chain k8s-nfproxy-fw-PL4AZP3AKMRCVEEV {
}
chain k8s-nfproxy-xlb-PL4AZP3AKMRCVEEV {
}
chain k8s-nfproxy-sep-F3FYSUNEU5GRF2PR {
counter packets 156 bytes 9360 comment ""
ip saddr 57.112.0.39 meta mark set 0x00004000 comment ""
dnat to 57.112.0.39:8081 fully-random
}
chain k8s-nfproxy-sep-TMVEFT7EX55F4T62 {
counter packets 3 bytes 180 comment ""
ip saddr 57.112.0.41 meta mark set 0x00004000 comment ""
dnat to 57.112.0.41:8080 fully-random
}
chain k8s-nfproxy-sep-UOK7V3LF34NNNXJK {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.41 meta mark set 0x00004000 comment ""
dnat to 57.112.0.41:8090 fully-random
}
chain k8s-nfproxy-svc-ZQKXCYOBISQCSH6Q {
numgen inc mod 1 vmap { 0 : goto k8s-nfproxy-sep-5CXJFIVYWUOH4QP5 } comment ""
counter packets 0 bytes 0 comment ""
}
chain k8s-nfproxy-fw-ZQKXCYOBISQCSH6Q {
}
chain k8s-nfproxy-xlb-ZQKXCYOBISQCSH6Q {
}
chain k8s-nfproxy-sep-GTJ7BFLUOQRCGMD5 {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.52 meta mark set 0x00004000 comment ""
dnat to 57.112.0.52:8989 fully-random
}
chain k8s-nfproxy-svc-MLOFX2HRWDMEIJ2C {
numgen inc mod 2 vmap { 0 : goto k8s-nfproxy-sep-ZLBUKWY4CZE4VBQ6, 1 : goto k8s-nfproxy-sep-L7QM2ZN4KU2U3Y7S }
counter packets 1597 bytes 126466 comment ""
}
chain k8s-nfproxy-fw-MLOFX2HRWDMEIJ2C {
}
chain k8s-nfproxy-xlb-MLOFX2HRWDMEIJ2C {
}
chain k8s-nfproxy-sep-AB4FZJCEEYJGUR7G {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.52 meta mark set 0x00004000 comment ""
dnat to 57.112.0.52:8998 fully-random
}
chain k8s-nfproxy-svc-BKEZZE5BBBAFLJMD {
numgen inc mod 2 vmap { 0 : goto k8s-nfproxy-sep-47JQSZ5IZC6OSGGT, 1 : goto k8s-nfproxy-sep-SLRAZLUBLWQJXVD6 }
counter packets 0 bytes 0 comment ""
}
chain k8s-nfproxy-fw-BKEZZE5BBBAFLJMD {
}
chain k8s-nfproxy-xlb-BKEZZE5BBBAFLJMD {
}
chain k8s-nfproxy-svc-XZFCNG333PM4X5VI {
numgen inc mod 2 vmap { 0 : goto k8s-nfproxy-sep-MDXSOI4QEYHXQ5TE, 1 : goto k8s-nfproxy-sep-MQDIJAQHMGQYQDQC }
counter packets 0 bytes 0 comment ""
}
chain k8s-nfproxy-fw-XZFCNG333PM4X5VI {
}
chain k8s-nfproxy-xlb-XZFCNG333PM4X5VI {
}
chain k8s-nfproxy-svc-ALEQQYFAJOE576GL {
numgen inc mod 1 vmap { 0 : goto k8s-nfproxy-sep-F3FYSUNEU5GRF2PR } comment ""
counter packets 0 bytes 0 comment ""
}
chain k8s-nfproxy-fw-ALEQQYFAJOE576GL {
}
chain k8s-nfproxy-xlb-ALEQQYFAJOE576GL {
}
chain k8s-nfproxy-sep-5CXJFIVYWUOH4QP5 {
counter packets 1 bytes 60 comment ""
ip saddr 57.112.0.47 meta mark set 0x00004000 comment ""
dnat to 57.112.0.47:443 fully-random
}
chain k8s-nfproxy-sep-ZLBUKWY4CZE4VBQ6 {
counter packets 1597 bytes 127401 comment ""
ip saddr 57.112.0.42 meta mark set 0x00004000 comment ""
dnat to 57.112.0.42:53 fully-random
}
chain k8s-nfproxy-sep-L7QM2ZN4KU2U3Y7S {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.43 meta mark set 0x00004000 comment ""
dnat to 57.112.0.43:53 fully-random
}
chain k8s-nfproxy-sep-47JQSZ5IZC6OSGGT {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.42 meta mark set 0x00004000 comment ""
dnat to 57.112.0.42:53 fully-random
}
chain k8s-nfproxy-sep-SLRAZLUBLWQJXVD6 {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.43 meta mark set 0x00004000 comment ""
dnat to 57.112.0.43:53 fully-random
}
chain k8s-nfproxy-sep-MDXSOI4QEYHXQ5TE {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.42 meta mark set 0x00004000 comment ""
dnat to 57.112.0.42:9153 fully-random
}
chain k8s-nfproxy-sep-MQDIJAQHMGQYQDQC {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.43 meta mark set 0x00004000 comment ""
dnat to 57.112.0.43:9153 fully-random
}
chain k8s-nfproxy-sep-23NTSA2UXPPQIPK4 {
counter packets 0 bytes 0 comment ""
ip saddr 57.112.0.53 meta mark set 0x00004000 comment ""
dnat to 57.112.0.53:8787 fully-random
}
}
table ip6 kube-nfproxy-v6 {
}
sbezverk@kube-4:~$
On 2020-01-20, 5:00 PM, "Florian Westphal" <fw@strlen.de> wrote:
sbezverk <sbezverk@gmail.com> wrote:
> Numgen has GOTO directive and not Jump (Phil asked to change it), I thought it means after hitting any chains in numgen the processing will go back to service chain, no?
>
> It is Ubuntu 18.04
>
> sbezverk@kube-4:~$ uname -a
> Linux kube-4 5.4.10-050410-generic #202001091038 SMP Thu Jan 9 10:41:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
> sbezverk@kube-4:~$ sudo nft --version
> nftables v0.9.1 (Headless Horseman)
> sbezverk@kube-4:~$
>
> I also want to remind you that I do NOT use nft cli to program rules, I use nft cli just to see resulting rules.
In that case, please include "nft --debug=netlink list ruleset".
It would also be good to check if things work when you add it via nft
tool.
> >
> > chain k8s-nfproxy-svc-M53CN2XYVUHRQ7UB {
> > numgen inc mod 2 vmap { 0 : goto k8s-nfproxy-sep-TMVEFT7EX55F4T62, 1 : goto k8s-nfproxy-sep-GTJ7BFLUOQRCGMD5 }
> > counter packets 1 bytes 60 comment ""
> > }
Just to clarify, the "goto" means that the "counter" should NEVER
increment here because nft interpreter returns to the chain that had
"jump k8s-nfproxy-svc-M53CN2XYVUHRQ7UB".
jump and goto do the same thing except that goto doesn't record the
location/chain to return to.
next prev parent reply other threads:[~2020-01-20 22:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-20 2:46 load balancing between two chains sbezverk
2020-01-20 11:23 ` Phil Sutter
2020-01-20 16:31 ` sbezverk
2020-01-20 17:06 ` Florian Westphal
2020-01-20 17:42 ` sbezverk
2020-01-20 21:39 ` Florian Westphal
2020-01-20 21:54 ` sbezverk
2020-01-20 22:00 ` Florian Westphal
2020-01-20 22:07 ` sbezverk [this message]
2020-01-20 22:12 ` Florian Westphal
2020-01-20 22:50 ` sbezverk
2020-01-21 4:18 ` sbezverk
2020-01-21 5:24 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D2179763-BA51-4DA2-AA97-16CD2DA8FF2C@gmail.com \
--to=sbezverk@gmail.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.