Penned by Joerg Zinke on 20120103 14:42.08, we have: | Hi, | | Am 03.01.2012 um 20:37 schrieb Sebastian Benoit <[email protected]>: | | > Daniel an I found a rather bizarre problem with round-robin tables in pf. | > | > We have a relayd setup with two webservers (IP's $A and $B). We observed | that | > when one of the webservers went down, so did the loadbalanced service (on | IP | > $C). | > | > We first noticed this in 2011-11 when deploying a pair of carped | > loadbalancers (running current) and debugged and narrowed it down to this | case, | > independently reproducible without relayd: | > | > (pf.conf contains an anchor "relayd/*") | > | > $ cat /etc/pf.testrule | > pass in quick on rdomain 0 inet proto tcp from any \ | > to $C port = 80 flags S/SA \ | > keep state (tcp.established 600) tag RELAYDHTTP \ | > rdr-to <http_foo> port 80 round-robin prio 0 | > | > $ pfctl -a relayd/http_foo -t http_foo -T add $A | > $ pfctl -a relayd/http_foo -t http_foo -T add $B | > $ pfctl -f /etc/pf.testrule -a relayd/http_foo | > | > This results in a working loadblanced setup: | > | > $ pfctl -a relayd/http_foo -t http_foo -T show | > $A | > $B | > | > Now consider the case where an IP is deleted from the table http_foo: | > | > $ pfctl -a relayd/http_foo -t http_foo -T delete $A | > | > or | > | > $ pfctl -a relayd/http_foo -t http_foo -T delete $B | > | > The bug triggers when this delete happens right after the _last_ | redirection | > address was $B, and $C becomes inaccesible. | > | > It is independet of which of the addresses gets deleted, but the output | _order_ of $A | > and $B when printing the table with "-T show" is important. | | Can you confirm that this bug happens in a plain PF setup also (i.e. without | relayd beeing involved)?
I can echo the above sentiments and confirm that independent of relayd this is recreatable. My magic workaround ended up putting an additional ip in the pool for each host thus the table is either 4 or 2 never 1. Obviously round-robin is broken when the table reaches 1 host, but someone other than me will be needed to fix the code. -- Todd Fries .. [email protected] _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:[email protected] | "..in support of free software solutions." \ sip:[email protected] \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
