Re: [LARTC] Multihome load balancing - kernel vs netfilter

From: Peter Rabbitson <rabbit@rabbit.us>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Multihome load balancing - kernel vs netfilter
Date: Wed, 30 May 2007 04:55:13 +0000	[thread overview]
Message-ID: <465D03B1.3050204@rabbit.us> (raw)
In-Reply-To: <4647FA30.5040401@rabbit.us>

Salim S I wrote:
>> -----Original Message-----
>> From: Luciano Ruete [mailto:luciano@lugmen.org.ar] 
>> Sent: Wednesday, May 30, 2007 11:46 AM
>> To: Salim S I
>> Subject: Re: [LARTC] Multihome load balancing - kernel vs netfilter
>> 
>> On Tuesday 29 May 2007 03:16:47 you wrote:
>>> None of the load balancing techniques I have come across seems to
>> cover
>>> 'IP-Persistence'. For example, a session with several connections (for
>>> which no conntrack-helper modules exist), will have problems, as its
>>> connections will be routed through different WAN interfaces. Some
>>> servers are very particular about the source IP of the packets they
>>> receive. I suspect online gaming and instant messengers will have
>>> problems with load balancing. How is the experience of other people in
>>> here?
>>>
>>> A rewrite of 'recent' match to include both source and destination may
>>> turn out to be a solution, albeit with low performance. Any other
>> ideas?
>> 
>> In this same thread a CONNMARK solution was exposed, and this same
>> CONNMARK 
>> solution was openly discused several times in this list.
>> 
>> All the cases that you mention (online gamming, instant messenger) and
>> all 
>> other that you do not mention are solved having a connection-aware
>> firewall, 
>> which is capable to route over the same link packets that belongs to the
>> same 
>> logical connection, this is achived perfectly using netfilter CONNMARK. 
>> 
>> Regards!
> Sorry, but it doesn't work that way.
> CONNMARK needs helper modules like the ones for FTP or H.323 to really
> know if connections belong to the same session. To cover all gaming and
> IM apps with own helper modules is practically impossible. I remember
> even MSN have had problems (timeout every 5 mins), but it seems to have
> been fixed at the server level.
> Could you please point out if I had missed any open discussion in the
> list which covers these things?

Salim is correct, non-trackable protocols can be a major PITA. Actually 
I discussed this earlier in the thread. Yes, kernel balancing due to 
caching will alleviate this to a certain extent, but there will still be 
surprises down the road, when a cache entry finaly expires. Besides 
caching blows the entire balancing idea to bits if most users access 
primarily the same resource over and over again (think of a popular 
internet radio station). Furthermore neither route balancing nor the 
netfilter approach will be effective for resources hosted over 
_multiple_ distinct IPs (AIM is a very good example with separate 
authentication and data servers). This is where the exception lists come 
into play, which I also discussed. If one still wants to achieve pseudo 
balancing on the exempted destinations, it is still possible with the 
excellent SAME patch which makes a NAT decision based solely on an index 
derived fom the size of the source pool to be NATted divided by the 
number of NAT targets provided. Also note that as long as a service uses 
a static range of ports, you do not even have to know all the 
destination IP ranges in order to exempt it - simple port matching will do.

HTH

Peter

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc