Re: Address pools and load balancing issues

Sun, 02 Apr 2006 08:51:04 -0700 

On Sunday 02 April 2006 10:25, Kostas Zorbadelos wrote:
> Hello to everyone.
> I am a newcomer to the list. I am evaluating the pf packet filter for
> a few months now and I like very much what I see. I have a few
> questions regarding address pools and load balancing. In the relevant
> documentation [1] it is explicitly mentioned that methods other than
> round-robin (bitmask, random, source-hash) work only if the address
> pool is expressed as a CIDR network block. Also, if the address pool
> is expressed as a table, then the only method allowed is round-robin.
> In my setup this is a problem, since I have a pool of WWW servers and
> I need the source-hash load balancing method where a specific client
> connects to the same  web server (that has its http session for
> instance). My pool of servers is not in a continuous network block, so
> it cannot be expressed in a CIDR notation. Is there a way to overcome
> this limitation? (sticky-address is not an option since it works only
> as long as there are states for a client's connections)
> Will these restrictions go away in a next version of pf? Ideally, I
> would like to express all my pools as tables and have all the
> different algorithms for load balancing available.

The problem is what does bitmask or source-hash mean for a table?  What do you 
apply the bitmask to?  What do you hash to?  The other problem is the 
internal organization of tables that is optimized for lookups and doesn't 
work as a list or array which is required for hashing.  A sollution would be 
to have real address lists, but I doubt that will happen any time soon.

As for a workaround sollution for you.  sticky-address works also without 
states, provided you set a reasonable value for "set timeout source-track" as 
described in pf.conf(5).  Another option is to just make your webserver into 
a continuous netbock via rdr/binat rules.  You should be able to map them 
into a private netbock and can then apply source-hash load-balanceing to 
that.  Of course there is overhead associated with that as well.  It really 
depends on your usecase which is the most workable sollution.

> Thanks in advance and congratulations to all the people involved in pf
> for the great work.

-- 
/"\  Best regards,                      | [EMAIL PROTECTED]
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

Attachment: pgpBLzESqIVHr.pgp
Description: PGP signature

Reply via email to