Re: Proxy load balancer rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Serguei,

On Thu, Jan 30, 2020 at 05:12:07PM +0000, Serguei Bezverkhi (sbezverk) wrote:
[...]
> 
> !
> !   -m recent --rcheck --seconds 10800 --reap  --rsource - keywords I am looking for equivalent in  nftables  
> !
> 
> -A KUBE-XLB-BAJ42O6WMSSB7YGA -m comment --comment "services-9837/affinity-lb-esipp-transition:" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-JAOQ4ZBNFGZ34AZ4 --mask 255.255.255.255 --rsource -j KUBE-SEP-JAOQ4ZBNFGZ34AZ4
> -A KUBE-XLB-BAJ42O6WMSSB7YGA -m comment --comment "services-9837/affinity-lb-esipp-transition:" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-WLHDVQTL57VBPURE --mask 255.255.255.255 --rsource -j KUBE-SEP-WLHDVQTL57VBPURE
> -A KUBE-XLB-BAJ42O6WMSSB7YGA -m comment --comment "services-9837/affinity-lb-esipp-transition:" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-5XWCIKNI3M4MWAMU --mask 255.255.255.255 --rsource -j KUBE-SEP-5XWCIKNI3M4MWAMU

There is no direct equivalent for recent extension in nftables (yet).
But in this case I think a set with timeout would do the trick.

The above simply checks if saddr is part of that set (--rcheck). The
value given in --seconds would be the set's default element timeout. No
need for --reap, elements will disappear automatically.

[...]
> -A KUBE-SEP-5XWCIKNI3M4MWAMU -s 57.112.0.208/32 -j KUBE-MARK-MASQ
> -A KUBE-SEP-5XWCIKNI3M4MWAMU -p tcp -m recent --set --name KUBE-SEP-5XWCIKNI3M4MWAMU --mask 255.255.255.255 --rsource -m tcp -j DNAT [unsupported revision]
> 
> -A KUBE-SEP-JAOQ4ZBNFGZ34AZ4 -s 57.112.0.206/32 -j KUBE-MARK-MASQ
> -A KUBE-SEP-JAOQ4ZBNFGZ34AZ4 -p tcp -m recent --set --name KUBE-SEP-JAOQ4ZBNFGZ34AZ4 --mask 255.255.255.255 --rsource -m tcp -j DNAT [unsupported revision]
> 
> -A KUBE-SEP-WLHDVQTL57VBPURE -s 57.112.0.207/32 -j KUBE-MARK-MASQ
> -A KUBE-SEP-WLHDVQTL57VBPURE -p tcp -m recent --set --name KUBE-SEP-WLHDVQTL57VBPURE --mask 255.255.255.255 --rsource -m tcp -j DNAT [unsupported revision]

These rules add saddr to the set or reset the timeout if already
present.

So, in order to replicate the above in nftables, you would:

* Add a new set for each different --name values given above
  - define a default timeout (suggested)
  - define a max size (suggested)
* Translate --rcheck into a simple set lookup
* Translate --set into set statement:
  'update @setxy { ip saddr timeout 10800 }'
  - use 'update' instead of 'add' to reset the timeout

For further info, please refer to nft manpage[1] as well as nftables
wiki[2].

Cheers, Phil

[1] 'SETS' and 'SET STATEMENT' sections in nft(8) 
[2] https://wiki.nftables.org/wiki-nftables/index.php/Updating_sets_from_the_packet_path
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux