>> Add translation for cluster to nft
>>
>> $ sudo iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed
>> 0xdeadbeef -j MARK --set-mark 0xffff
>>
>> nft add rule ip mangle PREROUTING iifname eth1 ct state {new,established, related, untracked} ct direction original mark set jhash ip saddr mod 2 seed 0xdeadbeef offset 1 counter meta mark set 0xffff
>
> Can you explain why ct expression is needed in this way?
ct original is to get original direction
After your explanation,
i realised adding "ct state {new,established, related, untracked}" was mistake.
> afaics translation would be (untested):
>
> nft add rule ip mangle PREROUTING iifname eth1 mark set jhash ct saddr mod 2 seed 0xdeadbeef offset 1 counter meta mark set 0xffff fib saddr type multicast meta pkttype set host
>
> we might need to implement "ct master-saddr" to deal with ct->master use
> in xt_cluster as well, but we could do that later as a followup.
> fib saddr type is needed to not set real mutlicast traffic to unicast
> type and only catch l3-unicast-in-l2-multicast.
Thanks a lot for explanation.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
