From 79a30d763ec45a23163ef84f9b45ed7e7dba1d21 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Wed, 29 Mar 2023 18:32:28 +0000 Subject: T4173: load-balancing wan replace some iptables-nft rules There are some incompatibility with current version of kernel/nftables and work of 'iptables-nft' It cannot insert/delete new rules via 'iptables-nft' For example: table ip nat { chain VYOS_PRE_SNAT_HOOK { type nat hook postrouting priority srcnat - 1; policy accept; counter jump WANLOADBALANCE } chain WANLOADBALANCE { ct mark 0xc9 counter snat to 192.0.2.14 } } vyos@r14# sudo iptables-nft -t nat -I VYOS_PRE_SNAT_HOOK 1 -j WANLOADBALANCE iptables: No chain/target/match by that name. One mention that I know that it was working in 'VyOS 1.4-rolling-202302010317' Replace some 'iptables-nft' rules with eq nftables rules to return the basic ability to load-balance traffic. --- src/lbdecision.cc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/lbdecision.cc b/src/lbdecision.cc index 119d0de..ff27580 100644 --- a/src/lbdecision.cc +++ b/src/lbdecision.cc @@ -110,10 +110,10 @@ if so then this stuff goes here! string stdout; //set up special nat rules if (lbdata._disable_source_nat == false) { - execute(string("iptables-nft -t nat -N WANLOADBALANCE"), stdout); - execute(string("iptables-nft -t nat -F WANLOADBALANCE"), stdout); - execute(string("iptables-nft -t nat -D VYOS_PRE_SNAT_HOOK -j WANLOADBALANCE"), stdout); - execute(string("iptables-nft -t nat -I VYOS_PRE_SNAT_HOOK 1 -j WANLOADBALANCE"), stdout); + execute(string("nft add chain ip nat WANLOADBALANCE"), stdout); + execute(string("nft flush chain ip nat WANLOADBALANCE"), stdout); + execute(string("nft flush chain ip nat VYOS_PRE_SNAT_HOOK"), stdout); + execute(string("nft insert rule ip nat VYOS_PRE_SNAT_HOOK counter jump WANLOADBALANCE"), stdout); } //set up the conntrack table execute(string("iptables-nft -t raw -N WLB_CONNTRACK"), stdout); @@ -472,8 +472,9 @@ LBDecision::shutdown(LBData &data) } //clear out nat as well - execute("iptables-nft -t nat -F WANLOADBALANCE", stdout); - execute("iptables-nft -t nat -D VYOS_PRE_SNAT_HOOK -j WANLOADBALANCE", stdout); + execute("nft flush chain ip nat WANLOADBALANCE", stdout); + execute("nft delete chain ip nat WANLOADBALANCE", stdout); + execute("nft flush chain ip nat VYOS_PRE_SNAT_HOOK", stdout); //clear out conntrack hooks execute(string("iptables-nft -t raw -D PREROUTING -j WLB_CONNTRACK"), stdout); -- cgit v1.2.3