* Round robin load balance to local port range
@ 2009-11-06 15:30 Kapetanakis Giannis
2009-11-06 15:55 ` Patrick McHardy
0 siblings, 1 reply; 4+ messages in thread
From: Kapetanakis Giannis @ 2009-11-06 15:30 UTC (permalink / raw)
To: netfilter@vger.kernel.org
Hi all,
I'm trying to load balance (round robin) to multiple instances of openvpn
running locally in ports 9000-9004 without luck.
2.6.30.9-96.fc11 / iptables-1.4.3.1-1.fc11
For testing I tried first on the output chain to see if it works.
iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j
DNAT --to-destination :9000-9004
iptables -t filter -I INPUT 1 -m tcp -p tcp --dport 9000:9004 -j LOG
telnet 127.0.0.1 8000
telnet 127.0.0.1 8000
telnet 127.0.0.1 8000
Nov 6 17:27:20 localhost kernel: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=37697 DF PROTO=TCP
SPT=35462 DPT=9000 WINDOW=32792 RES=0x00 SYN URGP=0
Nov 6 17:27:21 localhost kernel: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=30693 DF PROTO=TCP
SPT=35463 DPT=9000 WINDOW=32792 RES=0x00 SYN URGP=0
Nov 6 17:27:22 localhost kernel: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=12621 DF PROTO=TCP
SPT=35464 DPT=9000 WINDOW=32792 RES=0x00 SYN URGP=0
As you can see all connections are natted but only port 9000 is being
used from the range.
I also tried with redirect
iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j
REDIRECT --to-ports 9000-9004
or even
iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j
DNAT --to-destination 127.0.0.1:9000-9004
same results, only port 9000.
According to the man page:
In Kernels up to 2.6.10 you can add several --to-destination
options. For those kernels, if you specify more than one
desti-
nation address, either via an address range or
multiple
--to-destination options, a simple round-robin
(one after
another in cycle) load balancing takes place
between these
addresses. Later Kernels (>= 2.6.11-rc1) don¢t have the
ability
to NAT to multiple ranges anymore.
Either the kernel is doing some kind of hashing based on my src-ip
instead of round-robin
or the last phrase should change "to ranges anymore" instead of
"multiple ranges anymore"
I'm using a single range (ports 9000-9004) thus not multiple ranges.
Am I doing something wrong here or is it something I don't get?
best regards,
Giannis
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Round robin load balance to local port range
2009-11-06 15:30 Round robin load balance to local port range Kapetanakis Giannis
@ 2009-11-06 15:55 ` Patrick McHardy
2009-11-06 16:07 ` Kapetanakis Giannis
0 siblings, 1 reply; 4+ messages in thread
From: Patrick McHardy @ 2009-11-06 15:55 UTC (permalink / raw)
To: Kapetanakis Giannis; +Cc: netfilter@vger.kernel.org
Kapetanakis Giannis wrote:
> I'm trying to load balance (round robin) to multiple instances of openvpn
> running locally in ports 9000-9004 without luck.
>
> 2.6.30.9-96.fc11 / iptables-1.4.3.1-1.fc11
>
> For testing I tried first on the output chain to see if it works.
>
> iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j
> DNAT --to-destination :9000-9004
> iptables -t filter -I INPUT 1 -m tcp -p tcp --dport 9000:9004 -j LOG
>
> telnet 127.0.0.1 8000
> telnet 127.0.0.1 8000
> telnet 127.0.0.1 8000
>
> ...
>
> As you can see all connections are natted but only port 9000 is being
> used from the range.
>
> I also tried with redirect
> iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j
> REDIRECT --to-ports 9000-9004
> or even
> iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j
> DNAT --to-destination 127.0.0.1:9000-9004
>
> same results, only port 9000.
>
> According to the man page:
>
> In Kernels up to 2.6.10 you can add several --to-destination
> options. For those kernels, if you specify more than one
> desti-
> nation address, either via an address range or
> multiple
> --to-destination options, a simple round-robin (one
> after
> another in cycle) load balancing takes place between
> these
> addresses. Later Kernels (>= 2.6.11-rc1) don’t have the
> ability
> to NAT to multiple ranges anymore.
>
> Either the kernel is doing some kind of hashing based on my src-ip
> instead of round-robin
> or the last phrase should change "to ranges anymore" instead of
> "multiple ranges anymore"
>
> I'm using a single range (ports 9000-9004) thus not multiple ranges.
>
> Am I doing something wrong here or is it something I don't get?
The manpage is incorrect (patches welcome :), it will use the first
port as long as the tuples don't clash. The --random option can be
used to randomly select a port from the range.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Round robin load balance to local port range
2009-11-06 15:55 ` Patrick McHardy
@ 2009-11-06 16:07 ` Kapetanakis Giannis
2009-11-06 16:16 ` Patrick McHardy
0 siblings, 1 reply; 4+ messages in thread
From: Kapetanakis Giannis @ 2009-11-06 16:07 UTC (permalink / raw)
To: netfilter@vger.kernel.org
On 06/11/09 17:55, Patrick McHardy wrote:
> The manpage is incorrect (patches welcome :), it will use the first
> port as long as the tuples don't clash. The --random option can be
> used to randomly select a port from the range.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--random does the job both for DNAT and REDIRECT
I guess random is better that nothing :)
Just for clarification: the state of the packet will be remembered right?
I don't want to send it first to one port and later to another.
regards and thanks for the quick answer
Giannis
ps. I found another bug
--random in DNAT has to be put at the end of the rule
otherwise if you put it before --to-destination
error: "Multiple --to-destination not supported"
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Round robin load balance to local port range
2009-11-06 16:07 ` Kapetanakis Giannis
@ 2009-11-06 16:16 ` Patrick McHardy
0 siblings, 0 replies; 4+ messages in thread
From: Patrick McHardy @ 2009-11-06 16:16 UTC (permalink / raw)
To: Kapetanakis Giannis; +Cc: netfilter@vger.kernel.org
Kapetanakis Giannis wrote:
> On 06/11/09 17:55, Patrick McHardy wrote:
>> The manpage is incorrect (patches welcome :), it will use the first
>> port as long as the tuples don't clash. The --random option can be
>> used to randomly select a port from the range.
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>
> --random does the job both for DNAT and REDIRECT
> I guess random is better that nothing :)
>
> Just for clarification: the state of the packet will be remembered right?
> I don't want to send it first to one port and later to another.
Correct.
> ps. I found another bug
> --random in DNAT has to be put at the end of the rule
> otherwise if you put it before --to-destination
> error: "Multiple --to-destination not supported"
Thanks, fixed in git.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-11-06 16:16 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-11-06 15:30 Round robin load balance to local port range Kapetanakis Giannis
2009-11-06 15:55 ` Patrick McHardy
2009-11-06 16:07 ` Kapetanakis Giannis
2009-11-06 16:16 ` Patrick McHardy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).