Hi, On Tue, Nov 26, 2019 at 09:20:20PM +0000, Serguei Bezverkhi (sbezverk) wrote: > It almost worked ( Check this out: > sudo nft list table ipv4table > table ip ipv4table { > set no-endpoint-svc-ports { > type inet_service > elements = { 8080, 8989 } > } > > set no-endpoint-svc-addrs { > type ipv4_addr > flags interval > elements = { 10.1.1.1, 10.1.1.2} > } > > chain input-net { > type nat hook input priority filter; policy accept; > jump services > } > > chain input-local { > type nat hook output priority filter; policy accept; > jump services > } > > chain services { > ip daddr @no-endpoint-svc-addrs tcp dport @no-endpoint-svc-ports reject with tcp reset > ip daddr @no-endpoint-svc-addrs udp dport @no-endpoint-svc-ports reject with icmp type net-unreachable > } > > chain svc1-endpoint-1 { > ip protocol tcp dnat to 12.1.1.1:8080 > } > > chain svc1-endpoint-2 { > ip protocol tcp dnat to 12.1.1.2:8080 > } > > chain svc2-endpoint-1 { > ip protocol tcp dnat to 12.1.1.3:8090 > } > > chain svc2-endpoint-2 { > ip protocol tcp dnat to 12.1.1.4:8090 > } > > chain svc1 { > } > > chain svc2 { > } > > chain prerouting { > type nat hook prerouting priority filter; policy accept; > ip daddr 1.1.1.1 tcp dport 88 numgen random mod 2 vmap { 0 : jump svc1-endpoint-1, 1 : jump svc1-endpoint-2 } > ip daddr 2.2.2.2 tcp dport 99 numgen random mod 2 vmap { 0 : jump svc2-endpoint-1, 1 : jump svc2-endpoint-2 } > }} > > Ideally I need to apply this rule " numgen random mod 2 vmap { 0 : jump svc1-endpoint-1, 1 : jump svc1-endpoint-2 }" to svc1 and svc2 chains to load balance between services' endpoints but when I do that it fails with Unsupported operation. > In contrast it let me apply this rule to prerouting chain. I don't see where you jump to svc1/svc2 so this is a bit of guesswork. Anyway, please keep in mind that dnat is only supported from nat (and prerouting or output). > This split support of reject in input/forward/output and numgen only in prerouting is not ideal as a packet for a client of a service without registered endpoint will need to go through all checks in prerouting chain before it reaches input chain and get its reject back. As said, it is dnat which is limited to prerouting. Numgen itself works everywhere. If there is a known criteria identifying a client without registered endpoint, you could match on that and 'accept' early in prerouting. This will make the packet go to input/forward directly without traversing the remaining prerouting rules. Cheers, Phil