Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Apr 2006 19:23:55 -0300
From:      Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
To:        freebsd-ipfw@freebsd.org
Cc:        Bill Fumerola <billf@FreeBSD.org>
Subject:   Re: Load-balancing
Message-ID:  <443D7DFB.1090800@freebsdbrasil.com.br>
In-Reply-To: <443D7B71.5070004@freebsdbrasil.com.br>
References:  <20060411092932.42148fd8@giboia>	<20060412214619.GT9364@elvis.mu.org> <443D7B71.5070004@freebsdbrasil.com.br>

next in thread | previous in thread | raw e-mail | index | archive | help
Patrick Tracanelli wrote:
> Bill Fumerola wrote:
> 
>> On Tue, Apr 11, 2006 at 09:29:32AM -0300, Gilberto Villani Brito wrote:
>>
>>> I would make load-balancing using ipfw, but I have 2 routers in the 
>>> same interface:
>>>
>>> FreeBSD (200.xxx.xxx.3) -------> GW1 (200.xxx.xxx.1) (63%)
>>>                            |--> GW2 (200.xxx.xxx.2) (33%)
>>>
>>> How can I make load-balancing using ipfw???
>>>
>>> I'm using pf (pass out on em0 route-to (em0 200.xxx.xxx.2) 
>>> round-robin from any to any keep state probability 33%), but I would 
>>> like use just one firewall.
>>
>>
>>
>> the same concept you're using applies to ipfw:
>>
>> # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any
>>
>> or if you have multiple interfaces:
>>
>> # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any xmit em0
>>
>> any laziness-induced syntax errors i've made notwithstanding those should
>> work fine. remember to compile IPFIREWALL_FORWARD and enable ip 
>> forwarding.
>>
>> -- bill
> 
> 
> Very nice.
> 
> How hard would it be to have "keep-state" working with "fwd" action?
> 
> Also, what about some sort of algorith more similar to "plr" for "prob" 
> action? As my understanding prob is really a probability, which does not 
> mean say 33% of the packets will match (while plr says it will match - 
> and drop the packet), it means 33% of probability, right? This would be 
> different of 33% of matching rate. Lets think of a "rate" option for 
> "matching rate", a
> 
> ipfw add rate 0.33 fwd <next hop> tcp from <inet> to any xmit em0 setup 
> keep-state
> 
> keep-state in this case would make all other packets from the given 
> source IP to the given destination IP always get forwarded...
> 
> Because as I see (I may be wrong) the above example may break sessions, 
> right? Thinking on an https session, for example. Some packets would 
> match the prob, some other would not. So what do we get? Some packets 
> going out via link #1 and some other via link #2. The other end will not 
> know about the incoming packets from the other link.
> 
> The mentioned two features (which I have no idea how hard it would be to 
> add), a plr-like sort of "prob" and keeping FWD state, would solve the 
> problem, wouldnt it?
> 
> Also, I dont know what "probability" really means on PF. If it is really 
> probability or a "rate match" spec. Try to figure it out correctly, or 
> you might be doing the wrong thing...
> 

Well, I am sorry to read the code only after hiting the "send" button.

The code for prob and plr seem to be the same...

ip_dummynet.c:

if ( fs->plr && random() < fs->plr )
         goto dropit ;           /* random pkt drop                      */

ip_fw2.c:

case O_PROB:
                      match = (random()<((ipfw_insn_u32 *)cmd)->d[0]);
                      break;

so again the question, is it really probability? I have no guarantee 
that, say "prob 0.33" or "plr 0.33" will really mean 33%, right? (hope 
wrong..)

-- 
Patrick Tracanelli

FreeBSD Brasil LTDA.
(31) 3281-9633 / 3281-3547
316601@sip.freebsdbrasil.com.br
http://www.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443D7DFB.1090800>