Date: Sun, 2 Apr 2006 17:49:42 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: Kostas Zorbadelos <kzorba@otenet.gr> Subject: Re: Address pools and load balancing issues Message-ID: <200604021749.48171.max@love2party.net> In-Reply-To: <20060402082519.GA25134@enigma.otenet.gr> References: <20060402082519.GA25134@enigma.otenet.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Sunday 02 April 2006 10:25, Kostas Zorbadelos wrote: > Hello to everyone. > I am a newcomer to the list. I am evaluating the pf packet filter for > a few months now and I like very much what I see. I have a few > questions regarding address pools and load balancing. In the relevant > documentation [1] it is explicitly mentioned that methods other than > round-robin (bitmask, random, source-hash) work only if the address > pool is expressed as a CIDR network block. Also, if the address pool > is expressed as a table, then the only method allowed is round-robin. > In my setup this is a problem, since I have a pool of WWW servers and > I need the source-hash load balancing method where a specific client > connects to the same web server (that has its http session for > instance). My pool of servers is not in a continuous network block, so > it cannot be expressed in a CIDR notation. Is there a way to overcome > this limitation? (sticky-address is not an option since it works only > as long as there are states for a client's connections) > Will these restrictions go away in a next version of pf? Ideally, I > would like to express all my pools as tables and have all the > different algorithms for load balancing available. The problem is what does bitmask or source-hash mean for a table? What do you apply the bitmask to? What do you hash to? The other problem is the internal organization of tables that is optimized for lookups and doesn't work as a list or array which is required for hashing. A sollution would be to have real address lists, but I doubt that will happen any time soon. As for a workaround sollution for you. sticky-address works also without states, provided you set a reasonable value for "set timeout source-track" as described in pf.conf(5). Another option is to just make your webserver into a continuous netbock via rdr/binat rules. You should be able to map them into a private netbock and can then apply source-hash load-balanceing to that. Of course there is overhead associated with that as well. It really depends on your usecase which is the most workable sollution. > Thanks in advance and congratulations to all the people involved in pf > for the great work. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEL/KcXyyEoT62BG0RAqE0AJ46GceB/Q15cjwDMnbqGWHWnQUcSgCfeWpt JdN/sXhBm2zu66X5GgmtncE= =9TzD -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604021749.48171.max>