Re: Numen with reference to vmap

[Phil Sutter <phil@nwl.cc>]

Hi Serguei,

On Wed, Dec 04, 2019 at 12:54:05AM +0000, Serguei Bezverkhi (sbezverk) wrote:
> Nftables wiki gives this example for numgen:
> 
> nft add rule nat prerouting numgen random mod 2 vmap { 0 : jump mychain1, 1 : jump mychain2 }
> 
> I would like to use it but with map reference, like this:
> 
> nft add rule nat prerouting numgen random mod 2 vmap @service1-endpoints
> 
> Could you please confirm if it is supported? If it is what would be the type of the key in such map? I thought it would be integer, but command fails.
> 
> sudo nft --debug all add map ipv4table k8s-57XVOCFNTLTR3Q27-endpoints   { type  integer : verdict \; }
> Error: unqualified key type integer specified in map definition
> add map ipv4table k8s-57XVOCFNTLTR3Q27-endpoints { type integer : verdict ; }
>                                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^

Yes, this is sadly not possible right now. numgen type is 32bit integer,
but we don't have a type definition matching that. Type 'integer' is
unqualified regarding size, therefore unsuitable for use in map/set
definitions.

This all works when using anonymous set/map because key type is
deduced from map LHS.

We plan to support a 'typeof' keyword at some point to allow for the
same deduction from within named map/set declarations, but it needs
further work as the type info is lost on return path (when listing) so
it would create a ruleset that can't be fed back.

> The ultimate  goal is to update dynamically just the  map  with available endpoints and loadbalance between them without  touching the rule.

I don't quite understand why you need to dynamically change the
load-balancing rule: numgen modulus is fixed anyway, so the number of
elements in vmap are fixed. Maybe just jump to chains and dynamically
update those instead?

Cheers, Phil