summaryrefslogtreecommitdiffstats
path: root/files
diff options
context:
space:
mode:
authorArturo Borrero Gonzalez <arturo@netfilter.org>2018-02-24 22:06:49 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2018-02-25 19:50:23 +0100
commitba00c6b18ee2bf3bc100226ecc2e6bfd779eb482 (patch)
tree68d6f6f8326f332c8e212bed7b612bafd86a0ea3 /files
parenta57299feee1dcdb98df79b91b1822149bd337311 (diff)
files: add load balance example
Include this example file in the tarball on how to do load balancing with nftables, inspired from https://wiki.nftables.org Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'files')
-rwxr-xr-xfiles/examples/load_balancing.nft54
1 files changed, 54 insertions, 0 deletions
diff --git a/files/examples/load_balancing.nft b/files/examples/load_balancing.nft
new file mode 100755
index 00000000..2f03d272
--- /dev/null
+++ b/files/examples/load_balancing.nft
@@ -0,0 +1,54 @@
+#!/usr/sbin/nft -f
+
+# This example file shows how to implement load balancing using the nftables
+# framework.
+# This script is meant to be loaded with `nft -f <file>`
+# You require linux kernel >= 4.12 and nft >= 0.7
+# For up-to-date information please visit https://wiki.nftables.org
+
+flush ruleset
+
+table ip nat {
+ chain prerouting {
+ type nat hook prerouting priority -300;
+ # round-robing load balancing between the 2 IPv4 addresses:
+ dnat to numgen inc mod 2 map {
+ 0 : 192.168.10.100, \
+ 1 : 192.168.20.200 }
+ # emulate flow distribution with different backend weights using intervals:
+ dnat to numgen inc mod 10 map {
+ 0-5 : 192.168.10.100, \
+ 6-9 : 192.168.20.200 }
+ # tcp port based distribution is also possible:
+ ip protocol tcp dnat to 192.168.1.100 : numgen inc mod 2 map {
+ 0 : 4040 ,\
+ 1 : 4050 }
+ # consistent hash-based distribution:
+ dnat to jhash ip saddr . tcp dport mod 2 map {
+ 0 : 192.168.20.100, \
+ 1 : 192.168.30.100 }
+ }
+}
+
+table ip raw {
+ chain prerouting {
+ type filter hook prerouting priority -300;
+ # using stateless NAT, round-robing distribution (you could use hashing too):
+ tcp dport 80 notrack ip daddr set numgen inc mod 2 map { 0 : 192.168.1.100, 1 : 192.168.1.101 }
+ }
+}
+
+table netdev mytable {
+ chain ingress {
+ # mind the NIC devices, they must exist in the system
+ type filter hook ingress device eth0 priority 0;
+ # using Direct Server Return (DSR), connectionless approach:
+ udp dport 53 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set numgen inc mod 2 map {
+ 0 : aa:aa:aa:aa:aa:aa,
+ 1 : bb:bb:bb:bb:bb:bb } fwd to eth1
+ # using Direct Server Return (DSR), connection-oriented flows:
+ tcp dport 80 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set jhash ip saddr . tcp sport mod 2 map {
+ 0 : aa:aa:aa:aa:aa:aa,
+ 1 : bb:bb:bb:bb:bb:bb } fwd to eth1
+ }
+}