Date: Wed, 12 Apr 2006 19:23:55 -0300 From: Patrick Tracanelli <eksffa@freebsdbrasil.com.br> To: freebsd-ipfw@freebsd.org Cc: Bill Fumerola <billf@FreeBSD.org> Subject: Re: Load-balancing Message-ID: <443D7DFB.1090800@freebsdbrasil.com.br> In-Reply-To: <443D7B71.5070004@freebsdbrasil.com.br> References: <20060411092932.42148fd8@giboia> <20060412214619.GT9364@elvis.mu.org> <443D7B71.5070004@freebsdbrasil.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
Patrick Tracanelli wrote: > Bill Fumerola wrote: > >> On Tue, Apr 11, 2006 at 09:29:32AM -0300, Gilberto Villani Brito wrote: >> >>> I would make load-balancing using ipfw, but I have 2 routers in the >>> same interface: >>> >>> FreeBSD (200.xxx.xxx.3) -------> GW1 (200.xxx.xxx.1) (63%) >>> |--> GW2 (200.xxx.xxx.2) (33%) >>> >>> How can I make load-balancing using ipfw??? >>> >>> I'm using pf (pass out on em0 route-to (em0 200.xxx.xxx.2) >>> round-robin from any to any keep state probability 33%), but I would >>> like use just one firewall. >> >> >> >> the same concept you're using applies to ipfw: >> >> # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any >> >> or if you have multiple interfaces: >> >> # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any xmit em0 >> >> any laziness-induced syntax errors i've made notwithstanding those should >> work fine. remember to compile IPFIREWALL_FORWARD and enable ip >> forwarding. >> >> -- bill > > > Very nice. > > How hard would it be to have "keep-state" working with "fwd" action? > > Also, what about some sort of algorith more similar to "plr" for "prob" > action? As my understanding prob is really a probability, which does not > mean say 33% of the packets will match (while plr says it will match - > and drop the packet), it means 33% of probability, right? This would be > different of 33% of matching rate. Lets think of a "rate" option for > "matching rate", a > > ipfw add rate 0.33 fwd <next hop> tcp from <inet> to any xmit em0 setup > keep-state > > keep-state in this case would make all other packets from the given > source IP to the given destination IP always get forwarded... > > Because as I see (I may be wrong) the above example may break sessions, > right? Thinking on an https session, for example. Some packets would > match the prob, some other would not. So what do we get? Some packets > going out via link #1 and some other via link #2. The other end will not > know about the incoming packets from the other link. > > The mentioned two features (which I have no idea how hard it would be to > add), a plr-like sort of "prob" and keeping FWD state, would solve the > problem, wouldnt it? > > Also, I dont know what "probability" really means on PF. If it is really > probability or a "rate match" spec. Try to figure it out correctly, or > you might be doing the wrong thing... > Well, I am sorry to read the code only after hiting the "send" button. The code for prob and plr seem to be the same... ip_dummynet.c: if ( fs->plr && random() < fs->plr ) goto dropit ; /* random pkt drop */ ip_fw2.c: case O_PROB: match = (random()<((ipfw_insn_u32 *)cmd)->d[0]); break; so again the question, is it really probability? I have no guarantee that, say "prob 0.33" or "plr 0.33" will really mean 33%, right? (hope wrong..) -- Patrick Tracanelli FreeBSD Brasil LTDA. (31) 3281-9633 / 3281-3547 316601@sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443D7DFB.1090800>