From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 12 22:24:11 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74C1116A401 for ; Wed, 12 Apr 2006 22:24:11 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 20E6543D73 for ; Wed, 12 Apr 2006 22:24:03 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 29246 invoked by uid 0); 12 Apr 2006 19:25:02 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(200.210.42.5):. Processed in 1.592831 secs); 12 Apr 2006 22:25:02 -0000 Received: from unknown (HELO ?10.69.69.69?) (200.210.42.5) by capeta.freebsdbrasil.com.br with SMTP; 12 Apr 2006 19:25:01 -0300 Message-ID: <443D7DFB.1090800@freebsdbrasil.com.br> Date: Wed, 12 Apr 2006 19:23:55 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051013 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20060411092932.42148fd8@giboia> <20060412214619.GT9364@elvis.mu.org> <443D7B71.5070004@freebsdbrasil.com.br> In-Reply-To: <443D7B71.5070004@freebsdbrasil.com.br> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Bill Fumerola Subject: Re: Load-balancing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2006 22:24:11 -0000 Patrick Tracanelli wrote: > Bill Fumerola wrote: > >> On Tue, Apr 11, 2006 at 09:29:32AM -0300, Gilberto Villani Brito wrote: >> >>> I would make load-balancing using ipfw, but I have 2 routers in the >>> same interface: >>> >>> FreeBSD (200.xxx.xxx.3) -------> GW1 (200.xxx.xxx.1) (63%) >>> |--> GW2 (200.xxx.xxx.2) (33%) >>> >>> How can I make load-balancing using ipfw??? >>> >>> I'm using pf (pass out on em0 route-to (em0 200.xxx.xxx.2) >>> round-robin from any to any keep state probability 33%), but I would >>> like use just one firewall. >> >> >> >> the same concept you're using applies to ipfw: >> >> # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any >> >> or if you have multiple interfaces: >> >> # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any xmit em0 >> >> any laziness-induced syntax errors i've made notwithstanding those should >> work fine. remember to compile IPFIREWALL_FORWARD and enable ip >> forwarding. >> >> -- bill > > > Very nice. > > How hard would it be to have "keep-state" working with "fwd" action? > > Also, what about some sort of algorith more similar to "plr" for "prob" > action? As my understanding prob is really a probability, which does not > mean say 33% of the packets will match (while plr says it will match - > and drop the packet), it means 33% of probability, right? This would be > different of 33% of matching rate. Lets think of a "rate" option for > "matching rate", a > > ipfw add rate 0.33 fwd tcp from to any xmit em0 setup > keep-state > > keep-state in this case would make all other packets from the given > source IP to the given destination IP always get forwarded... > > Because as I see (I may be wrong) the above example may break sessions, > right? Thinking on an https session, for example. Some packets would > match the prob, some other would not. So what do we get? Some packets > going out via link #1 and some other via link #2. The other end will not > know about the incoming packets from the other link. > > The mentioned two features (which I have no idea how hard it would be to > add), a plr-like sort of "prob" and keeping FWD state, would solve the > problem, wouldnt it? > > Also, I dont know what "probability" really means on PF. If it is really > probability or a "rate match" spec. Try to figure it out correctly, or > you might be doing the wrong thing... > Well, I am sorry to read the code only after hiting the "send" button. The code for prob and plr seem to be the same... ip_dummynet.c: if ( fs->plr && random() < fs->plr ) goto dropit ; /* random pkt drop */ ip_fw2.c: case O_PROB: match = (random()<((ipfw_insn_u32 *)cmd)->d[0]); break; so again the question, is it really probability? I have no guarantee that, say "prob 0.33" or "plr 0.33" will really mean 33%, right? (hope wrong..) -- Patrick Tracanelli FreeBSD Brasil LTDA. (31) 3281-9633 / 3281-3547 316601@sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!"