The issue isn't that an offset is required for the hash / numgen functions. It is being able to build an IP / IPv6 address dynamically each time the rule is evaluated, using numgen, without needing to explicitly lay out every possible IP in a map in the rule. On Fri, Mar 6, 2020 at 12:07 PM Laura Garcia <nevola@xxxxxxxxx> wrote: > > > > On Fri, Mar 6, 2020, 6:11 PM Dennett Ingram <d@xxxxxxxxxx> wrote: >> >> So I currently see no way of doing this. But I figured I'd just write >> out to verify. >> >> Is there anyway to have a statement "evaluated" for each packet? >> >> https://wiki.nftables.org/wiki-nftables/index.php/Load_balancing >> >> shows the use of: >> >> % nft add rule nat prerouting dnat to numgen inc mod 2 map { \ >> 0 : 192.168.10.100, \ >> 1 : 192.168.20.200 } >> >> >> which is great, to be able to generate a random number and use that to >> find one of X items from the Map. What would be really nice is if >> there was some way you could do: >> >> % nft add rule nat prerouting dnat to 192.168.10.(100+numgen inc mod 20) > > > > Hi, > > An offset can be added to the numgen and hash expressions. [0] > > The range is a good idea to avoid maps but is not very flexible. If a backend is down, you'll need to split the range somehow. > > > [0] https://wiki.nftables.org/wiki-nftables/index.php/Math_operations > > >> >> which would then do the same type of mapping as before, but going from >> 192.168.10.100-192.168.10.120, without needing to create a map and >> iterate through every value. >> >> Being able to do simple math in there as well, you could have >> 100+2*(numgen inc mod 20) or whatever to have it skip every two. or >> 2000:2000:A356::( numgen inc mod 65,536).ToHex() to have it generate >> an IPv6 address in that /64 block randomly. The ToHex() is just >> something I put out there, I figure there would be some way to write >> it in hex, or write the IPv6 address as a double, that could be >> accepted. >> >> I know this is a very niche situation, and not something supported, >> but just thought I'd bring it up.
