Load-balancing

Patrick Tracanelli eksffa at freebsdbrasil.com.br
Wed Apr 12 22:24:11 UTC 2006 

Patrick Tracanelli wrote:
> Bill Fumerola wrote:
> 
>> On Tue, Apr 11, 2006 at 09:29:32AM -0300, Gilberto Villani Brito wrote:
>>
>>> I would make load-balancing using ipfw, but I have 2 routers in the 
>>> same interface:
>>>
>>> FreeBSD (200.xxx.xxx.3) -------> GW1 (200.xxx.xxx.1) (63%)
>>>                            |--> GW2 (200.xxx.xxx.2) (33%)
>>>
>>> How can I make load-balancing using ipfw???
>>>
>>> I'm using pf (pass out on em0 route-to (em0 200.xxx.xxx.2) 
>>> round-robin from any to any keep state probability 33%), but I would 
>>> like use just one firewall.
>>
>>
>>
>> the same concept you're using applies to ipfw:
>>
>> # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any
>>
>> or if you have multiple interfaces:
>>
>> # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any xmit em0
>>
>> any laziness-induced syntax errors i've made notwithstanding those should
>> work fine. remember to compile IPFIREWALL_FORWARD and enable ip 
>> forwarding.
>>
>> -- bill
> 
> 
> Very nice.
> 
> How hard would it be to have "keep-state" working with "fwd" action?
> 
> Also, what about some sort of algorith more similar to "plr" for "prob" 
> action? As my understanding prob is really a probability, which does not 
> mean say 33% of the packets will match (while plr says it will match - 
> and drop the packet), it means 33% of probability, right? This would be 
> different of 33% of matching rate. Lets think of a "rate" option for 
> "matching rate", a
> 
> ipfw add rate 0.33 fwd <next hop> tcp from <inet> to any xmit em0 setup 
> keep-state
> 
> keep-state in this case would make all other packets from the given 
> source IP to the given destination IP always get forwarded...
> 
> Because as I see (I may be wrong) the above example may break sessions, 
> right? Thinking on an https session, for example. Some packets would 
> match the prob, some other would not. So what do we get? Some packets 
> going out via link #1 and some other via link #2. The other end will not 
> know about the incoming packets from the other link.
> 
> The mentioned two features (which I have no idea how hard it would be to 
> add), a plr-like sort of "prob" and keeping FWD state, would solve the 
> problem, wouldnt it?
> 
> Also, I dont know what "probability" really means on PF. If it is really 
> probability or a "rate match" spec. Try to figure it out correctly, or 
> you might be doing the wrong thing...
> 

Well, I am sorry to read the code only after hiting the "send" button.

The code for prob and plr seem to be the same...

ip_dummynet.c:

if ( fs->plr && random() < fs->plr )
         goto dropit ;           /* random pkt drop                      */

ip_fw2.c:

case O_PROB:
                      match = (random()<((ipfw_insn_u32 *)cmd)->d[0]);
                      break;

so again the question, is it really probability? I have no guarantee 
that, say "prob 0.33" or "plr 0.33" will really mean 33%, right? (hope 
wrong..)

-- 
Patrick Tracanelli

FreeBSD Brasil LTDA.
(31) 3281-9633 / 3281-3547
316601 at sip.freebsdbrasil.com.br
http://www.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"

More information about the freebsd-ipfw mailing list