Re: Operation not supported when adding jump command

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ok, I guess I will work around by using input and output chain types, even though it will raise some brows in k8s networking community.

I have a second issue I am struggling to solve with nftables. Here is a service exposed for tcp port 80 which has 2 corresponding backends listening on a container port 8080.

!
! Backend 1
!
-A KUBE-SEP-FS3FUULGZPVD4VYB -s 57.112.0.247/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-FS3FUULGZPVD4VYB -p tcp -m tcp -j DNAT --to-destination 57.112.0.247:8080
!
! Backend 2
!
-A KUBE-SEP-MMFZROQSLQ3DKOQA -s 57.112.0.248/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-MMFZROQSLQ3DKOQA -p tcp -m tcp -j DNAT --to-destination 57.112.0.248:8080
!
! Service
!
-A KUBE-SERVICES -d 57.142.221.21/32 -p tcp -m comment --comment "default/app:http-web cluster IP" -m tcp --dport 80 -j KUBE-SVC-57XVOCFNTLTR3Q27
!
! Load balancing between 2 backends
!
-A KUBE-SVC-57XVOCFNTLTR3Q27 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-FS3FUULGZPVD4VYB
-A KUBE-SVC-57XVOCFNTLTR3Q27 -j KUBE-SEP-MMFZROQSLQ3DKOQA

I am looking for nftables equivalent for the load balancing part and also in this case there are double dnat translation,  destination port from 80 to 8080 and destination IP:  57.112.0.247 or 57.112.0.248.
Can it be expressed in a single nft dnat statement with vmaps or sets?

Thank you
Serguei


On 2019-11-26, 10:53 AM, "n0-1@xxxxxxxxxxxxx on behalf of Phil Sutter" <n0-1@xxxxxxxxxxxxx on behalf of phil@xxxxxx> wrote:

    Hi Serguei,
    
    On Tue, Nov 26, 2019 at 03:47:49PM +0000, Serguei Bezverkhi (sbezverk) wrote:
    > I totally get it that it is not possible in theory, but the matter of fact is in kubernetes somehow it works, maybe in some cases this check is not enforced, I do not know. If you are interested to investigate it further, please let me know as I said I have a cluster with these 2 rules configured.
    
    In another case I noticed that user-defined chains are a way to
    circumvent these types of functional restrictions. If that's good or bad
    is up to you to decide. ;)
    
    Regarding the desired functionality, I guess you're wandering the
    sinkhole-filled plains of undefined behaviour.
    
    Cheers, Phil
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux