diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-08-26 14:41:41 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-08-29 20:30:28 +0200 |
commit | 13eeed6ea6f0a5d1353ee5ad14c4322695b4f59b (patch) | |
tree | dee935f0f40bb41399b8d5d0c8ab4f23e53fd7d3 /include/expression.h | |
parent | 1ed9a3726c01fda218f37b7f4555c8b7106521ef (diff) |
src: add numgen expression
This new expression allows us to generate incremental and random numbers
bound to a specified modulus value.
The following rule sets the conntrack mark of 0 to the first packet seen,
then 1 to second packet, then 0 again to the third packet and so on:
# nft add rule x y ct mark set numgen inc mod 2
A more useful example is a simple load balancing scenario, where you can
also use maps to set the destination NAT address based on this new numgen
expression:
# nft add rule nat prerouting \
dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 }
So this is distributing new connections in a round-robin fashion between
192.168.10.100 and 192.168.20.200. Don't forget the special NAT chain
semantics: Only the first packet evaluates the rule, follow up packets
rely on conntrack to apply the NAT information.
You can also emulate flow distribution with different backend weights
using intervals:
# nft add rule nat prerouting \
dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200 }
So 192.168.10.100 gets 60% of the workload, while 192.168.20.200 gets 40%.
We can also be mixed with dynamic sets, thus weight can be updated in
runtime.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/expression.h')
-rw-r--r-- | include/expression.h | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/include/expression.h b/include/expression.h index 6e5e835e..b6005ec3 100644 --- a/include/expression.h +++ b/include/expression.h @@ -33,6 +33,7 @@ * @EXPR_UNARY: byteorder conversion, generated during evaluation * @EXPR_BINOP: binary operations (bitwise, shifts) * @EXPR_RELATIONAL: equality and relational expressions + * @EXPR_NUMGEN: number generation expression */ enum expr_types { EXPR_INVALID, @@ -55,6 +56,7 @@ enum expr_types { EXPR_UNARY, EXPR_BINOP, EXPR_RELATIONAL, + EXPR_NUMGEN, }; enum ops { @@ -170,6 +172,7 @@ enum expr_flags { #include <payload.h> #include <exthdr.h> +#include <numgen.h> #include <meta.h> #include <ct.h> @@ -277,6 +280,11 @@ struct expr { enum nft_ct_keys key; int8_t direction; } ct; + struct { + /* EXPR_NUMGEN */ + enum nft_ng_types type; + uint32_t mod; + } numgen; }; }; |