Hi Serguei,
On Wed, Dec 04, 2019 at 12:54:05AM +0000, Serguei Bezverkhi (sbezverk) wrote:
> Nftables wiki gives this example for numgen:
>
> nft add rule nat prerouting numgen random mod 2 vmap { 0 : jump mychain1, 1 : jump mychain2 }
>
> I would like to use it but with map reference, like this:
>
> nft add rule nat prerouting numgen random mod 2 vmap @service1-endpoints
>
> Could you please confirm if it is supported? If it is what would be the type of the key in such map? I thought it would be integer, but command fails.
>
> sudo nft --debug all add map ipv4table k8s-57XVOCFNTLTR3Q27-endpoints { type integer : verdict \; }
> Error: unqualified key type integer specified in map definition
> add map ipv4table k8s-57XVOCFNTLTR3Q27-endpoints { type integer : verdict ; }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^
Yes, this is sadly not possible right now. numgen type is 32bit integer,
but we don't have a type definition matching that. Type 'integer' is
unqualified regarding size, therefore unsuitable for use in map/set
definitions.
This all works when using anonymous set/map because key type is
deduced from map LHS.
We plan to support a 'typeof' keyword at some point to allow for the
same deduction from within named map/set declarations, but it needs
further work as the type info is lost on return path (when listing) so
it would create a ruleset that can't be fed back.
> The ultimate goal is to update dynamically just the map with available endpoints and loadbalance between them without touching the rule.
I don't quite understand why you need to dynamically change the
load-balancing rule: numgen modulus is fixed anyway, so the number of
elements in vmap are fixed. Maybe just jump to chains and dynamically
update those instead?
Cheers, Phil
