Date: Thu, 31 May 2007 12:27:25 -0300 From: Patrick Tracanelli <eksffa@freebsdbrasil.com.br> To: ipfw@freebsd.org Subject: IPFW/natd/prob load balancing Message-ID: <465EE95D.70709@freebsdbrasil.com.br>
next in thread | raw e-mail | index | archive | help
Hello,
I have a friend who wishes very much to do load balancing with IPFW and
natd, and he doesnt want to do so using PF. Also, he needs arbitrary
balancing, not round-robin, but instead to choose "X%" for one link and
the rest to the other.
It cant be done for a number of reasons. First of, natd cant run
attached to more than one interface. Instead, we need to run natd(8)
instances, which are independent. If natd instances could work be aware
of each other, maybe a hacker could add the balancing feature to it.
So I decided to give ipfw+prob a try, and try to help him out. I could
get to some point, but got stucked, and cant help anymore. The
psuedo-firewall (just a fragment of rules) I am using is:
#
fw="/sbin/ipfw"
ife="vr0"
ife2="vr1"
ife2_gw="201.86.82.1"
ife2_me="201.86.82.2"
rede_i="10.84.0.0/16"
#
#
#
$fw -f flush
$fw add prob 0.3 divert 8669 tcp from $rede_i to any out via $ife setup
$fw add prob 0.3 divert 8669 tcp from $rede_i to any out via $ife not setup
$fw add prob 0.3 divert 8669 { udp or icmp } from $rede_i to any out via
$ife
$fw add fwd $ife2_gw all from $ife2_me to any out
$fw add divert 8669 all from any to any in via $ife2
$fw add divert 8668 tcp from $rede_i to any out via $ife setup
$fw add divert 8668 tcp from $rede_i to any out via $ife not setup
$fw add divert 8668 { udp or icmp } from $rede_i to any out via $ife setup
$fw add divert 8668 all from any to any in via $ife
And here the natd.conf:
instance default
unregistered_only yes
interface vr0
dynamic yes
use_sockets yes
same_ports yes
port 8668
instance link2
unregistered_only yes
interface vr1
dynamic yes
use_sockets yes
same_ports yes
port 8669
Why it wont work?
Because the "divert" stuff is per-packet, and not session aware. On the
other hand I can not use keep-state in a divert rule. Also, I think the
behavior of mixing keep-state and prob is not what we (I?) expect. I
tried using "tag" and "not diverted" somewhere to identify packets that
are already served from one link or the other, but no working idea
occurred me.
Maybe any hacker or more experienced person can have a good suggestion?
I tried to help out on this question because for me it was a proof of
concept that teorically (conceptually) it would be possible to balance
this way. In fact it is, it is working partially.
But sometime, earlier or later the connection gets dropped (it is when
prob does not apply, and the packet get diverted to another natd).
It doesnt work perfectly because of limitations of the tools or maybe I
am missing a good idea.
So, dont bother answering to point all the reasons why it wont work ;) I
am aware of all, also, I am aware of potential session issues (SSL
sites, etc), when PF for example has a "sticky-address" solution.
The think is, maybe there is an easy solution that a hacker may think
of, to allow natd or ipfw balancing outgoing sessions.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?465EE95D.70709>