From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Rabbitson Date: Wed, 30 May 2007 04:55:13 +0000 Subject: Re: [LARTC] Multihome load balancing - kernel vs netfilter Message-Id: <465D03B1.3050204@rabbit.us> List-Id: References: <4647FA30.5040401@rabbit.us> In-Reply-To: <4647FA30.5040401@rabbit.us> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Salim S I wrote: >> -----Original Message----- >> From: Luciano Ruete [mailto:luciano@lugmen.org.ar] >> Sent: Wednesday, May 30, 2007 11:46 AM >> To: Salim S I >> Subject: Re: [LARTC] Multihome load balancing - kernel vs netfilter >> >> On Tuesday 29 May 2007 03:16:47 you wrote: >>> None of the load balancing techniques I have come across seems to >> cover >>> 'IP-Persistence'. For example, a session with several connections (for >>> which no conntrack-helper modules exist), will have problems, as its >>> connections will be routed through different WAN interfaces. Some >>> servers are very particular about the source IP of the packets they >>> receive. I suspect online gaming and instant messengers will have >>> problems with load balancing. How is the experience of other people in >>> here? >>> >>> A rewrite of 'recent' match to include both source and destination may >>> turn out to be a solution, albeit with low performance. Any other >> ideas? >> >> In this same thread a CONNMARK solution was exposed, and this same >> CONNMARK >> solution was openly discused several times in this list. >> >> All the cases that you mention (online gamming, instant messenger) and >> all >> other that you do not mention are solved having a connection-aware >> firewall, >> which is capable to route over the same link packets that belongs to the >> same >> logical connection, this is achived perfectly using netfilter CONNMARK. >> >> Regards! > Sorry, but it doesn't work that way. > CONNMARK needs helper modules like the ones for FTP or H.323 to really > know if connections belong to the same session. To cover all gaming and > IM apps with own helper modules is practically impossible. I remember > even MSN have had problems (timeout every 5 mins), but it seems to have > been fixed at the server level. > Could you please point out if I had missed any open discussion in the > list which covers these things? Salim is correct, non-trackable protocols can be a major PITA. Actually I discussed this earlier in the thread. Yes, kernel balancing due to caching will alleviate this to a certain extent, but there will still be surprises down the road, when a cache entry finaly expires. Besides caching blows the entire balancing idea to bits if most users access primarily the same resource over and over again (think of a popular internet radio station). Furthermore neither route balancing nor the netfilter approach will be effective for resources hosted over _multiple_ distinct IPs (AIM is a very good example with separate authentication and data servers). This is where the exception lists come into play, which I also discussed. If one still wants to achieve pseudo balancing on the exempted destinations, it is still possible with the excellent SAME patch which makes a NAT decision based solely on an index derived fom the size of the source pool to be NATted divided by the number of NAT targets provided. Also note that as long as a service uses a static range of ports, you do not even have to know all the destination IP ranges in order to exempt it - simple port matching will do. HTH Peter _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc