Address pools and load balancing issues

Max Laier max at
Sun Apr 2 15:50:45 UTC 2006

On Sunday 02 April 2006 10:25, Kostas Zorbadelos wrote:
> Hello to everyone.
> I am a newcomer to the list. I am evaluating the pf packet filter for
> a few months now and I like very much what I see. I have a few
> questions regarding address pools and load balancing. In the relevant
> documentation [1] it is explicitly mentioned that methods other than
> round-robin (bitmask, random, source-hash) work only if the address
> pool is expressed as a CIDR network block. Also, if the address pool
> is expressed as a table, then the only method allowed is round-robin.
> In my setup this is a problem, since I have a pool of WWW servers and
> I need the source-hash load balancing method where a specific client
> connects to the same  web server (that has its http session for
> instance). My pool of servers is not in a continuous network block, so
> it cannot be expressed in a CIDR notation. Is there a way to overcome
> this limitation? (sticky-address is not an option since it works only
> as long as there are states for a client's connections)
> Will these restrictions go away in a next version of pf? Ideally, I
> would like to express all my pools as tables and have all the
> different algorithms for load balancing available.

The problem is what does bitmask or source-hash mean for a table?  What do you 
apply the bitmask to?  What do you hash to?  The other problem is the 
internal organization of tables that is optimized for lookups and doesn't 
work as a list or array which is required for hashing.  A sollution would be 
to have real address lists, but I doubt that will happen any time soon.

As for a workaround sollution for you.  sticky-address works also without 
states, provided you set a reasonable value for "set timeout source-track" as 
described in pf.conf(5).  Another option is to just make your webserver into 
a continuous netbock via rdr/binat rules.  You should be able to map them 
into a private netbock and can then apply source-hash load-balanceing to 
that.  Of course there is overhead associated with that as well.  It really 
depends on your usecase which is the most workable sollution.

> Thanks in advance and congratulations to all the people involved in pf
> for the great work.

/"\  Best regards,                      | mlaier at
\ /  Max Laier                          | ICQ #67774661
 X  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the freebsd-pf mailing list