From owner-freebsd-stable Thu Jun 20 1:41:13 2002 Delivered-To: freebsd-stable@freebsd.org Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by hub.freebsd.org (Postfix) with SMTP id 4C4E937B405 for ; Thu, 20 Jun 2002 01:41:06 -0700 (PDT) Received: (qmail 39176 invoked by uid 0); 20 Jun 2002 08:41:05 -0000 Received: from greg.panula@dolaninformation.com by proxy with qmail-scanner-0.96 (. Clean. Processed in 0.334094 secs); 20 Jun 2002 08:41:05 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: randys@amigo.net,freebsd-stable@freebsd.org X-Qmail-Scanner: 0.96 (No viruses found. Processed in 0.334094 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 20 Jun 2002 08:41:04 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 20 Jun 2002 03:41:01 -0500 Message-ID: <3D11951D.6FF10C28@dolaninformation.com> Date: Thu, 20 Jun 2002 03:41:01 -0500 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Randy Smith Cc: "freebsd-stable@freebsd.org" Subject: Re: IPFW as load balancer References: <20020619075003.W6594-100000@stalker.amigo.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Randy Smith wrote: > > Hi all, > > I want to try to use IPFW to do load balancing for a transparent proxy > cluster. My first idea was to do something like this: > > add prob .33 fwd ,3128 tcp from to any 80 > add prob .50 fwd ,3128 tcp from to any 80 > add fwd ,3128 tcp from to any 80 > > But this won't work because the packets for one session will end up at > different caches. > > Can keep-state and check-state be used to keep the packets flowing to the > same cache. Is the prob option copied to dynamic rules? > > >From sys/netinst/ip_fw.c: > > * There are some limitations with dynamic rules -- we do not > * obey the 'randomized match', > > Glancing through ip_fw.c (specifically ip_fw_chk() and lookup_dyn_rule()), > it appears that the probability is not checked/used for dynamic rules. > (Which is probably what the comment above means.) So, if I have these > rules > > add prob .33 fwd ,3128 tcp from 192.168.0.0/24 to any 80 keep-state > add prob .50 fwd ,3128 tcp from 192.168.0.0/24 to any 80 keep-state > add fwd ,3128 tcp from 192.168.0.0/24 to any 80 keep-state > > and ipfw get a connection from e.g. 192.168.0.42 that hits the cacheA > rule, does that mean ipfw would create the dynamic rule below? > > fwd ,3128 tcp from 192.168.0.42 to any 80 > > If so, it seems to me that it would create a rule that would forward all > of the packets from the client (192.168.0.42) to cacheA. Does this make > sense or am I out in left field? > > Thanks for the input. I think you're still going to run into session problem(s). The interaction between the cache and the client is still basically request a page, close the connection. The closing of the connection kills the stateful rule. If the client is visiting a website that uses session variables and the client's proxy server keeps changing there could be problems... depends on how the website is keeping track of session variables and/or if they are doing load-balancing based on the client's IP address. Just my two bits worth, Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message