Hello @Phil,
Just to confirm,
If I do,
Numgen random mod 3 vmap { 0 : jump endpoint1, 1 : jump endpoint2, 2 : jump endpoint3 }
Then if 4th endpoint appears I replace the previous rule with:
Numgen random mod 4 vmap { 0 : jump endpoint1, 1 : jump endpoint2, 2 : jump endpoint3, 3 : jump endpoint4 }
It should do the trick of loadbalancing, right?
@Arturo
I am no planning to use " dnat numgen randmo { 0-49 : <ip>:<port> }."
Each end point will have it is own chain and it will to dnat to ip and specific to endpoint target port. The load balancing will be done in service chain between multiple endpoint chains.
See example above. Does it make sense?
Thank you
Serguei
On 2019-12-04, 12:31 PM, "Arturo Borrero Gonzalez" <arturo@xxxxxxxxxxxxx> wrote:
On 12/4/19 4:56 PM, Phil Sutter wrote:
> OK, static load-balancing between two services - no big deal. :)
>
> What happens if config changes? I.e., if one of the endpoints goes down
> or a third one is added? (That's the thing we're discussing right now,
> aren't we?)
if the non-anon map for random numgen was allowed, then only elements would need
to be adjusted:
dnat numgen random mod 100 map { 0-49 : 1.1.1.1, 50-99 : 2.2.2.2 }
You could always use mod 100 (or 10000 if you want) and just play with the map
probabilities by updating map elements. This is a valid use case I think.
The mod number can just be the max number of allowed endpoints per service in
kubernetes.
@Phil,
I'm not sure if the typeof() thingy will work in this case, since the integer
length would depend on the mod value used.
What about introducing something like an explicit u128 integer datatype. Perhaps
it's useful for other use cases too...
@Serguei,
kubernetes implements a complex chain of mechanisms to deal with traffic. What
happens if endpoints for a given svc have different ports? I don't know if
that's supported or not, but then this approach wouldn't work either: you can't
use dnat numgen randmo { 0-49 : <ip>:<port> }.
Also, we have the masquerade/drop thing going on too, which needs to be deal
with and that currently is done by yet another chain jump + packet mark.
I'm not sure in which state of the development you are, but this is my
suggestion: Try to don't over-optimize in the first iteration. Just get a
working nft ruleset with the few optimization that make sense and are easy to
use (and understand). For iteration #2 we can do better optimizations, including
patching missing features we may have in nftables.
I really want a ruleset with very little rules, but we are still comparing with
the iptables ruleset. I suggest we leave the hard optimization for a later point
when we are comparing nft vs nft rulesets.
