Hi Phil,
Quick question, it appears that we do not support yet combining of two types into a key, so I need to quickly add it, your help would be appreciated. Here is the sequence I get to create such map:
sudo nft --debug all add map ipv4table no-endpoint-services { type ipv4_addr . inet_service : verdict \; }
---------------- ------------------
| 02 00 00 00 | | extra header |
|00014|--|00001| |len |flags| type|
| 69 70 76 34 | | data | i p v 4
| 74 61 62 6c | | data | t a b l
| 65 00 00 00 | | data | e
|00025|--|00002| |len |flags| type|
| 6e 6f 2d 65 | | data | n o - e
| 6e 64 70 6f | | data | n d p o
| 69 6e 74 2d | | data | i n t -
| 73 65 72 76 | | data | s e r v
| 69 63 65 73 | | data | i c e s
| 00 00 00 00 | | data |
|00008|--|00003| |len |flags| type| NFTA_SET_FLAGS
| 00 00 00 08 | | data | NFT_SET_MAP = 0x8
|00008|--|00004| |len |flags| type| NFTA_SET_KEY_TYPE = 0x4
| 00 00 01 cd | | data |
|00008|--|00005| |len |flags| type| NFTA_SET_KEY_LEN = 0x5
| 00 00 00 08 | | data |
|00008|--|00006| |len |flags| type| NFTA_SET_DATA_TYPE = 0x6 Verdict
| ff ff ff 00 | | data |
|00008|--|00007| |len |flags| type| NFTA_SET_DATA_LEN = 0x7
| 00 00 00 00 | | data |
|00008|--|00010| |len |flags| type| NFTA_SET_ID = 0xa
| 00 00 00 01 | | data |
|00016|--|00013| |len |flags| type|
| 00 04 00 00 | | data |
| 00 00 01 04 | | data |
| 00 00 00 00 | | data |
---------------- ------------------
Almost all is clear except 2 points; how set flag "00 00 01 cd " is generated and when key length is 8 and not 6.
Thanks a lot
Serguei
On 2019-11-28, 8:08 AM, "n0-1@xxxxxxxxxxxxx on behalf of Phil Sutter" <n0-1@xxxxxxxxxxxxx on behalf of phil@xxxxxx> wrote:
Hi Serguei,
On Thu, Nov 28, 2019 at 01:22:17AM +0000, Serguei Bezverkhi (sbezverk) wrote:
> Please see below the list of nftables rules the code generate to mimic only filter chain portion of kube proxy.
>
> Here is the location of code programming these rules.
> https://github.com/sbezverk/nftableslib-samples/blob/master/proxy/mimic-filter/mimic-filter.go
>
> Most of rules are static, will be programed just once when proxy comes up, with the exception is 2 rules in k8s-filter-services chain. The reference to the list of ports can change. Ideally it would be great to express these two rules with a single rule and a vmap, where the key must be service's ip AND service port, as it is possible to have a single service IP that can be associated with several ports and some of these ports might have an endpoint and some do not. So far I could not figure it out. Appreciate your thought/suggestions/critics. If you could file an issue for anything you feel needs to be discussed, that would be great.
What about something like this:
| table ip t {
| map m {
| type ipv4_addr . inet_service : verdict
| elements = { 192.168.80.104 . 8989 : goto do_reject }
| }
|
| chain c {
| ip daddr . tcp dport vmap @m
| }
|
| chain do_reject {
| reject with icmp type host-unreachable
| }
| }
For unknown reasons reject statement can't be used directly in a verdict
map, but the do_reject chain hack works.
> sudo nft list table ipv4table
> table ip ipv4table {
> set svc1-no-endpoints {
> type inet_service
> elements = { 8989 }
> }
>
> chain filter-input {
> type filter hook input priority filter; policy accept;
> ct state new jump k8s-filter-services
> jump k8s-filter-firewall
> }
>
> chain filter-output {
> type filter hook output priority filter; policy accept;
> ct state new jump k8s-filter-services
> jump k8s-filter-firewall
> }
Same ruleset for input and output? Seems weird given the daddr-based
filtering in k8s-filter-services.
Cheers, Phil
