Load Balancing under Linux (suggestion)
Gerald Combs
gerald at ethereal.com
Fri Apr 26 19:19:04 CDT 2002
On Fri, 26 Apr 2002, david nicol wrote:
> So we know from experience that the connections already tracked by
> ip_conntrack will not survive a change in rules? That's really the
> question I'm asking. I had the impression that the nat table was
> responsible for setting up the connection tracking stuff and then
> the connection tracking stuff operates on non-SYN packets without
> consulting the rules.
Thanks - I didn't know such a thing as "ip_conntrack" existed in the
ipchains code. In order for this to work, ip_conntrack would have to
track the inside address/port, border address/port or interface, and
destination address/port in its translation table. I glanced through the
ip_conntrack code on lxr.linux.no and didn't find any signs of it doing
that - it only appears to track source and destination information. I may
not have looked hard enough, however.
Could someone who has a system running iptables with NAT cat
/proc/net/ip_conntrack and tell me what information is displayed?
FWIW, 'ipnat -l' on my BSD box shows inside, border, and destination data,
so this may be possible with ipfilter.
> I wonder if iptables could be asked to examine the destination address
> and choose one interface or the other depending on the lowest bit in
> the IP? That would be a static mapping that would even out with a lot
> of traffic
This is similar to the ipfilter trick I posted recently, pointing traffic
destined for 0.0.0.0/1 (the first half of the IPv4 address space) to one
interface and 128.0.0.0/1 (the second half) to another. The problem is
that it's hard to tune, e.g. it's a pain if you want a 35/65 split in
traffic. It also doesn't provide failover.
I'd like to see enhancements made to ipchains, ipfilter (or even squid)
that let you dynamically control the "preferred" interface for new
connections. You could write a daemon that actively or passively checked
the health of each connection, and steered outbound traffic appropriately.
At that point you could provide the user with a nice wizard featuring a
slider with "Cable" on one side and "DSL" on the other, and a checkbox
labelled "Automatic". :)
More information about the Kclug
mailing list