Juan Carlos Lazcano <juan@xxxxxxxxxxxxxxxxxx> wrote:
> Hi netfilter community!
> I'm trying to orchestrate the generation and maintenance of thousands of dnat & snat rules in a stateless configuration within the prerouting and forward hooks with chain types of filter, and unfortunately am hitting a big performance barrier as a result. Its fine with a few thousand, but once we get into the tens of thousands of rules, things start slowing down linearly, which is why we would like to switch to maps. However, I cannot figure out 1) if maps are supported in filter chains within prerouting/forward hooks and 2) if it supports the syntax for stateless nat?
>
> For example:
>
> table ip mytable {
> map dnat_map {
> type ipv4_addr : ipv4_addr
> }
> chain dnat {
> type filter hook prerouting priority raw; policy accept;
> }
> }
>
> I normally generate stateless dnat's via:
>
> $ nft add rule ip mytable dnat ip daddr 100.101.84.137 counter ip daddr set 10.11.1.32 notrack comment "comment 1"
>
> But, lets say I want to try to replace this rule with a map. If i populate my map with a a key pair like:
>
> $ nft add element ip mytable dnat_map { 100.101.84.137 : 10.11.33.32 }
>
> How can I represent my original rule using a map?
ip daddr set ip daddr map @dnat_map
~~~~~~~~ #######
| \ The key to query the map for
|
\ What you want replaced
This rule is:
[ payload load 4b @ network header + 16 => reg 1 ] # loads the key (second ip daddr).
[ lookup reg 1 set dnat_map dreg 1 0x0 ] # queries map
[ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 csum_flags 0x1 ]
# Then places the result of the map at the location (first ip daddr).
