Hi,
On Tue, Nov 26, 2019 at 06:47:09PM +0000, Serguei Bezverkhi (sbezverk) wrote:
> Ok, I guess I will work around by using input and output chain types, even though it will raise some brows in k8s networking community.
>
> I have a second issue I am struggling to solve with nftables. Here is a service exposed for tcp port 80 which has 2 corresponding backends listening on a container port 8080.
>
> !
> ! Backend 1
> !
> -A KUBE-SEP-FS3FUULGZPVD4VYB -s 57.112.0.247/32 -j KUBE-MARK-MASQ
> -A KUBE-SEP-FS3FUULGZPVD4VYB -p tcp -m tcp -j DNAT --to-destination 57.112.0.247:8080
> !
> ! Backend 2
> !
> -A KUBE-SEP-MMFZROQSLQ3DKOQA -s 57.112.0.248/32 -j KUBE-MARK-MASQ
> -A KUBE-SEP-MMFZROQSLQ3DKOQA -p tcp -m tcp -j DNAT --to-destination 57.112.0.248:8080
> !
> ! Service
> !
> -A KUBE-SERVICES -d 57.142.221.21/32 -p tcp -m comment --comment "default/app:http-web cluster IP" -m tcp --dport 80 -j KUBE-SVC-57XVOCFNTLTR3Q27
> !
> ! Load balancing between 2 backends
> !
> -A KUBE-SVC-57XVOCFNTLTR3Q27 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-FS3FUULGZPVD4VYB
> -A KUBE-SVC-57XVOCFNTLTR3Q27 -j KUBE-SEP-MMFZROQSLQ3DKOQA
>
> I am looking for nftables equivalent for the load balancing part and also in this case there are double dnat translation, destination port from 80 to 8080 and destination IP: 57.112.0.247 or 57.112.0.248.
> Can it be expressed in a single nft dnat statement with vmaps or sets?
Regarding xt_statistic replacement, I once identified the equivalent of
'-m statistic --mode random --probability 0.5' would be 'numgen random
mod 0x2 < 0x1'.
Keeping both target address and port in a single map for *NAT statements
is not possible AFAIK.
If I'm not mistaken, you might be able to hook up a vmap together with
the numgen expression above like so:
| numgen random mod 0x2 vmap { \
| 0x0: jump KUBE-SEP-FS3FUULGZPVD4VYB, \
| 0x1: jump KUBE-SEP-MMFZROQSLQ3DKOQA }
Pure speculation, though. :)
Cheers, Phil
