Re: Operation not supported when adding jump command

"Serguei Bezverkhi (sbezverk)" <sbezverk@xxxxxxxxx> · Fri, 29 Nov 2019 20:13:21 +0000

Hello,

@Phil, thanks so much for Concat suggestion. Any more points for optimization? If no, then I will move to nat portion of k8s iptables.
Here are rules generated with refactored code:
table ip ipv4table {
	map no-endpoints-services {
		type ipv4_addr . inet_service : verdict
		elements = { 57.131.151.19 . 8989 : jump k8s-filter-do-reject,
			     192.168.80.104 . 8989 : jump k8s-filter-do-reject }
	}

	chain filter-input {
		type filter hook input priority filter; policy accept;
		ct state new jump k8s-filter-services
		jump k8s-filter-firewall
	}

	chain filter-output {
		type filter hook output priority filter; policy accept;
		ct state new jump k8s-filter-services
		jump k8s-filter-firewall
	}

	chain filter-forward {
		type filter hook forward priority filter; policy accept;
		jump k8s-filter-forward
		ct state new jump k8s-filter-services
	}

	chain k8s-filter-firewall {
		meta mark 0x00008000 drop
	}

	chain k8s-filter-services {
		ip daddr . tcp dport vmap @no-endpoints-services
	}

	chain k8s-filter-forward {
		ct state invalid drop
		meta mark 0x00004000 accept
		ip saddr 57.112.0.0/12 ct state established,related accept
		ip daddr 57.112.0.0/12 ct state established,related accept
	}

	chain k8s-filter-do-reject {
		reject with icmp type host-unreachable
	}
}

Thank you
Serguei

On 2019-11-28, 10:15 AM, "n0-1@xxxxxxxxxxxxx on behalf of Phil Sutter" <n0-1@xxxxxxxxxxxxx on behalf of phil@xxxxxx> wrote:

    Hi,

    On Thu, Nov 28, 2019 at 02:51:36PM +0000, Serguei Bezverkhi (sbezverk) wrote:
    > Quick question, it appears that we do not support yet combining of two types into a key, so I need to quickly add it, your help would be appreciated. Here is the sequence I get to create such map:
    > sudo nft --debug all add map ipv4table no-endpoint-services   { type  ipv4_addr . inet_service : verdict \; }
    > 
    [...]
    > 
    > Almost all is clear except 2 points; how set flag "00 00 01 cd "  is generated and when key length is 8 and not 6. 

    I've been through that recently when implementing among match support in
    iptables-nft (which uses an anonymous set with concatenated elements
    internally). Please have a look at the relevant code here:

    https://git.netfilter.org/iptables/tree/iptables/nft.c#n999

    I guess this helps clarifying how set flags are created and how to pad
    element data.

    Cheers, Phil