What's the best cluster scope IPAM using bridge CNI? host local IPAM assign a block of address to each node, which is not ideal for managing cluster as a whole. Please include the network layout and CNI config in the answer.
I was trying to make system-resolved as a remote DNS caching server (I know it is not intended to do so). I added the changed the net.ipv4.conf.br0.route_localnet to 1 and added the following nftable rules:
table ip nat {
chain prerouting {
type nat hook prerouting priority 100; policy accept;
iif "br0" udp dport 53 counter packets 6 bytes 366 dnat to 127.0.0.53
}
chain postrouting {
type nat hook postrouting priority -100; policy accept;
ip saddr 127.0.0.53 oif "br0" counter packets 0 bytes 0 snat to 192.168.1.2
}
}
The prerouting rule seems working as there are packets matching the rules. However there is no packet out of the host, what is the problem?
How can I redirect DNS request from 192.168.1.0/24 to systemd-resolved hosted on 192.168.1.2's lo device with IP 127.0.0.53?
The current version of iptables only supports snat and dnat. Which type of NAT are they using? Fullcone NAT, Restricted Cone NAT, Port Restricted Cone NAT or Symmetric NAT? How can I tell iptables to use fullcone nat?
I have a raspberry pi router for me and my room mates. The bandwidth is divided as follow:
1:0(htb)
|
1:1(16mbit/s)
/ \
1:2(8mbit/s) 1:ffff(8mbit/s)
If I add the filter for with parent 1:0 (tc filter add dev wlan0 parent 1:0 protocol ip prio 1 handle 0x0002 fw flowid 1:2), it works like a charm. However, if I add the filter upon class 1:1 the command didn't report any errors but there is no ouput for tc filter show dev wlan0 command.
Questions:
1. Why it didn't work when I put the filters on 1:1?
2. Can I place the filters on subclasses like 1:1?
Just curious. An example in nftables wiki allow related and established connections and then drop invalid connections. Is it necessary?
According to the manual page
HTB
quantum
how much bytes to serve from leaf at once {use r2q}
FQ_Codel
quantum
It is the number of bytes used as 'deficit' in the fair queuing algorithm. Default is set to 1514 bytes which corresponds to the Ethernet MTU plus the hardware header length of 14 bytes.
Questions:
1. Are they the same thing?
2. How to configure them to achieve best performance?
It seems linux already has a module for nftables nf_xfrm, which contains some code about reqid, however there is no description about it in man page.
So, how to translate the following command to nftables?
iptables -D FORWARD -s 10.0.0.1/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
There are two sets of modules in linux netfilter framework.
One with nf prefix (e.g. nf_tables), another with xt prefix (e.g. xt_ecn).
What is the difference between two of them?
It's really painful to use nftable. I have an ipv4 table and a input chain in it.
table ip filter { # handle 7
chain input { # handle 1
type filter hook input priority 0; policy accept;
ip daddr 192.168.0.102 counter packets 697173 bytes 850761603 # handle 5
ip saddr 192.168.0.100 counter packets 38 bytes 4096 # handle 6
}
}
But how can I reset counter for handle 5?