Re: nftables / DHCP / NAT - Pablo Neira Ayuso

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Volodymyr Litovka <doka@funlab.cc>
Cc: netfilter@vger.kernel.org
Subject: Re: nftables / DHCP / NAT
Date: Mon, 30 Oct 2023 17:40:11 +0100	[thread overview]
Message-ID: <ZT/ca933Lkqlakx1@calendula> (raw)
In-Reply-To: <54fda956-92bd-4c14-b0e5-29445b53f04a@funlab.cc>

On Mon, Oct 30, 2023 at 12:57:52PM +0100, Volodymyr Litovka wrote:
[...]
> the basic idea of this construction is to use later load balancing
> (https://wiki.nftables.org/wiki-nftables/index.php/Load_balancing) between
> multiple destinations
>
[...]
>
> so on the first step (netdev) I'm setting dst mac to local (so packet will
> not be dropped as "alien", because I receive on this box mirrored (SPAN)
> traffic, where dst mac is not this box) and then load-balance it between
> multiple destinations using NAT/LB. As far as I understand, 'fwd' is for
> forwarding to a single destination.

You do not need to pass up packets to the IP stack for this purpose
and use stateful NAT, it makes things complicated.

You can combine the fwd statement with the numgen expression:

           ... fwd ip to numgen inc mod 2 map { \
                               0 : 192.168.10.100, \
                               1 : 192.168.10.110 } device "enp0s25"

this performs round-robin packet distribution over the two destination
IP addresses.

So the example in the wiki above also works fine for the fwd
statement.

If you would like to perform flow-based load balancing, you need to
create a dynamic set and store what destination IP address is used for
a given IP source for persistency.

next prev parent reply	other threads:[~2023-10-30 16:40 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <df94652d-d611-4713-963a-911d6b7ef986@funlab.cc>
2023-10-30  8:41 ` nftables / DHCP / NAT Pablo Neira Ayuso
2023-10-30 11:58   ` Volodymyr Litovka
     [not found]   ` <54fda956-92bd-4c14-b0e5-29445b53f04a@funlab.cc>
2023-10-30 16:40     ` Pablo Neira Ayuso [this message]
2023-10-30 22:20   ` Volodymyr Litovka
2023-10-31 14:05     ` Pablo Neira Ayuso
2023-10-31 21:26       ` Volodymyr Litovka

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZT/ca933Lkqlakx1@calendula \
    --to=pablo@netfilter.org \
    --cc=doka@funlab.cc \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox