netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Serguei Bezverkhi (sbezverk)" <sbezverk@cisco.com>
To: Phil Sutter <phil@nwl.cc>
Cc: Arturo Borrero Gonzalez <arturo@netfilter.org>,
	"netfilter-devel@vger.kernel.org"
	<netfilter-devel@vger.kernel.org>
Subject: Re: Numen with reference to vmap
Date: Wed, 18 Dec 2019 17:01:33 +0000	[thread overview]
Message-ID: <6F72FC38-4238-4CCC-BAEB-A7F4B07817D7@cisco.com> (raw)
In-Reply-To: <20191217164140.GE8553@orbyte.nwl.cc>

Hello,

I came across a situation when I need to match against L4 proto (tcp/udp), L3 daddr and L4 port(port value) with vmap.

Vmap looks like this:

	map no-endpoints-services {
		type inet_proto . ipv4_addr . inet_service : verdict
	}

I was wondering if somebody could come up with a single line rule with reference to that vmap.

Thank you
Serguei

On 2019-12-17, 11:41 AM, "n0-1@orbyte.nwl.cc on behalf of Phil Sutter" <n0-1@orbyte.nwl.cc on behalf of phil@nwl.cc> wrote:

    Hi Serguei,
    
    On Tue, Dec 17, 2019 at 02:05:58PM +0000, Serguei Bezverkhi (sbezverk) wrote:
    > Thank you very much for your reply. Can I paste your reply into the doc with reference to your name? If you do not wish. I will rephrase it and post it there.
    
    Noo, don't tell anyone what I write in mails to public lists! ;)
    Seriously, I don't care if you paste it there or just link to my reply
    in a public archive.
    
    > I have one question, 
    > 
    > chain KUBE-SVC-57XVOCFNTLTR3Q27 {
    > 	numgen random mod 2 vmap { 0 : jump KUBE-SEP-FS3FUULGZPVD4VYB, 
    >                                                                        1 : jump KUBE-SEP-MMFZROQSLQ3DKOQA }
    > }
    > 
    > In this rule, as far as I understood you last time, there is no way dynamically change elements of anonymous vmap. So if the service has large number of dynamic (short lived) endpoints, this rule will have to be reprogrammed for every change and it would be extremely inefficient. Is there any way to make it more dynamic or plans to change the static behavior?  That would extremely important.
    
    Consensus was that you should either copy the iptables solution for now
    (accepting the drawbacks I explained in my last mail) or go with
    replacing that rule for each added/removed node. You'll have to adjust
    both mapping contents and modulus value!
    
    While it would be nice to have a better way of managing this
    load-balancing, I have no idea how one would ideally implement it. Feel
    free to file a ticket in netfilter bugzilla, but don't hold your breath
    for a quick solution.
    
    Cheers, Phil
    


  reply	other threads:[~2019-12-18 17:01 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-04  0:54 Numen with reference to vmap Serguei Bezverkhi (sbezverk)
2019-12-04 10:18 ` Phil Sutter
2019-12-04 13:47   ` Serguei Bezverkhi (sbezverk)
2019-12-04 15:17     ` Phil Sutter
2019-12-04 15:42       ` Serguei Bezverkhi (sbezverk)
2019-12-04 15:56         ` Phil Sutter
2019-12-04 16:13           ` Serguei Bezverkhi (sbezverk)
2019-12-04 17:00             ` Phil Sutter
2019-12-04 17:31           ` Arturo Borrero Gonzalez
2019-12-04 17:49             ` Serguei Bezverkhi (sbezverk)
2019-12-04 21:05               ` Serguei Bezverkhi (sbezverk)
2019-12-04 22:32             ` Phil Sutter
2019-12-17  0:51               ` Serguei Bezverkhi (sbezverk)
2019-12-17 12:29                 ` Phil Sutter
2019-12-17 14:05                   ` Serguei Bezverkhi (sbezverk)
2019-12-17 16:41                     ` Phil Sutter
2019-12-18 17:01                       ` Serguei Bezverkhi (sbezverk) [this message]
2019-12-18 17:24                         ` Phil Sutter
2019-12-18 19:43                           ` Serguei Bezverkhi (sbezverk)
2019-12-18 19:58                             ` Laura Garcia
2019-12-18 20:54                               ` Serguei Bezverkhi (sbezverk)
2019-12-19 10:48                               ` Phil Sutter
2019-12-19 14:59                                 ` Serguei Bezverkhi (sbezverk)
2019-12-19 15:45                                   ` Phil Sutter
2019-12-19 16:00                                     ` Serguei Bezverkhi (sbezverk)
2019-12-19 18:19                                       ` Serguei Bezverkhi (sbezverk)
2020-01-04 12:30                                         ` Serguei Bezverkhi (sbezverk)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6F72FC38-4238-4CCC-BAEB-A7F4B07817D7@cisco.com \
    --to=sbezverk@cisco.com \
    --cc=arturo@netfilter.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=phil@nwl.cc \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).