Hi, On Wed, Dec 04, 2019 at 04:13:45PM +0000, Serguei Bezverkhi (sbezverk) wrote: > It is not static, SVC chain jump rules will be updated on every endpoint change, the dynamic nature is achieved by manipulating rules. It is doable with nftables, I understand that, but I was also looking for a more efficient way to do it, my concern is if we use 1 to 1 conversion, we will end up with the same iptables scalability/performance limitations. > > Here is how rules look after a third and forth endpoint gets dynamically added to the service. > > -A KUBE-SVC-57XVOCFNTLTR3Q27 -m statistic --mode random --probability 0.25000000000 -j KUBE-SEP-FS3FUULGZPVD4VYB > -A KUBE-SVC-57XVOCFNTLTR3Q27 -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-MMFZROQSLQ3DKOQA > -A KUBE-SVC-57XVOCFNTLTR3Q27 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-TEWRTAGT3CD3D47Z > -A KUBE-SVC-57XVOCFNTLTR3Q27 -j KUBE-SEP-4WMWD734WJQW264U Ah, that's nice. The rules are updated in a way that with a single added rule probabilities are equalized again. This is something I fear we can't do with a map in nftables yet, I guess it would need a new object type (or maybe a special set/map type or something. All you can do for now is copy the above in nftables. Cheers, Phil
