1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
table ip nftlb {
map filter-proto-services {
type inet_proto . ipv4_addr . inet_service : verdict
elements = { tcp . 192.168.105.189 . 80 : goto filter-newfarm }
}
map static-sessions-newfarm {
type ipv4_addr : mark
}
map persist-newfarm {
type ipv4_addr : mark
size 65535
timeout 2m
}
map nat-proto-services {
type inet_proto . ipv4_addr . inet_service : verdict
elements = { tcp . 192.168.105.189 . 80 : goto nat-newfarm }
}
map services-back-m {
type mark : ipv4_addr
}
chain filter {
type filter hook prerouting priority mangle; policy accept;
meta mark 0x00000000 meta mark set ct mark
ip protocol . ip daddr . th dport vmap @filter-proto-services
}
chain filter-newfarm {
tcp flags syn queue flags bypass to 0
ct mark set ip saddr map @static-sessions-newfarm accept
ct state new ct mark set ip saddr map @persist-newfarm
ct state new ct mark 0x00000000 ct mark set numgen inc mod 1 map { 0 : 0x00000001 }
ct mark != 0x00000000 update @persist-newfarm { ip saddr : ct mark }
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ct state new meta mark 0x00000000 meta mark set ct mark
ip protocol . ip daddr . th dport vmap @nat-proto-services
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ct mark 0x00000000 ct mark set meta mark
ct mark 0x80000000/1 masquerade
snat to ct mark map @services-back-m
}
chain nat-newfarm {
ip protocol tcp dnat ip to ct mark map { 0x00000001 : 192.168.0.151 . 8080 }
}
}
|
