Address pools and load balancing issues
Max Laier
max at love2party.net
Sun Apr 2 15:50:45 UTC 2006
On Sunday 02 April 2006 10:25, Kostas Zorbadelos wrote:
> Hello to everyone.
> I am a newcomer to the list. I am evaluating the pf packet filter for
> a few months now and I like very much what I see. I have a few
> questions regarding address pools and load balancing. In the relevant
> documentation [1] it is explicitly mentioned that methods other than
> round-robin (bitmask, random, source-hash) work only if the address
> pool is expressed as a CIDR network block. Also, if the address pool
> is expressed as a table, then the only method allowed is round-robin.
> In my setup this is a problem, since I have a pool of WWW servers and
> I need the source-hash load balancing method where a specific client
> connects to the same web server (that has its http session for
> instance). My pool of servers is not in a continuous network block, so
> it cannot be expressed in a CIDR notation. Is there a way to overcome
> this limitation? (sticky-address is not an option since it works only
> as long as there are states for a client's connections)
> Will these restrictions go away in a next version of pf? Ideally, I
> would like to express all my pools as tables and have all the
> different algorithms for load balancing available.
The problem is what does bitmask or source-hash mean for a table? What do you
apply the bitmask to? What do you hash to? The other problem is the
internal organization of tables that is optimized for lookups and doesn't
work as a list or array which is required for hashing. A sollution would be
to have real address lists, but I doubt that will happen any time soon.
As for a workaround sollution for you. sticky-address works also without
states, provided you set a reasonable value for "set timeout source-track" as
described in pf.conf(5). Another option is to just make your webserver into
a continuous netbock via rdr/binat rules. You should be able to map them
into a private netbock and can then apply source-hash load-balanceing to
that. Of course there is overhead associated with that as well. It really
depends on your usecase which is the most workable sollution.
> Thanks in advance and congratulations to all the people involved in pf
> for the great work.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20060402/b5e195ce/attachment.pgp
More information about the freebsd-pf
mailing list