Hello Everybody.
I have a small, yet relevant question regarding PF's load balancing
features. Today I run PF with load balacing in substitution for Layer 3
load balancer switches, in two type of scenarios, the very first where
applications share sessions and the other, where sessions are not shared.
My problem is...
Here is my enviroment
Basically the example enviroment is one server with PF and three Web
Servers which do not share their sessions:
table <lb> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }
rdr on xl0 inet proto tcp from any to IP_PUBLICO port 80 -> { <lb> }
round-robin sticky-address
pass in quick log on xl0 proto tcp from any to <lb> port 80 flags S/SA
modulate state (src.track 1800)
"stick-address" option makes PF always redirect a connection to a
server, it creates a entry in the "Source" table (source-track, which
can be seen with "pfctl -vs Source") and while this entry stills alive
it forwards every other request from the same IP address to this same
Web Server. By default, the entry is alive on "Source" untill the last
state is still alive.
To raise this value we need to set new limit to "src.track" (set timeout
src.track), I did this through the rule which allows the connection, as
you can see in the mentioned rule.
To make it short, PF will load balance connections among the servers on
<lb> table, and keep the same server to the same cliente up to 1800
seconds (30 minutes) after the last state was excluded.
My problem starts to happen now:
Everything above mentioned works perfectly, the issue starts when we
have to delete one IP from the load balance table. For example, if
10.0.0.2 server is down, I need to take it out of the balancing table:
pfctl -t lb -T del 10.0.0.2
In this case, technically load balancing will be kept only among the IPs
10.0.0.1 and 10.0.0.3, which are the only ones that still exists in the
<lb> table. But the problem is, even when the just deleted 10.0.0.2
server is not on <lb> anymore, clients requests/states which were in
"Source" before and that pointed 10.0.0.2, will still there, and
therefore redirections to 10.0.0.2 will continue to happen until
src.track expires (30 minutes in the mentioned situation), or when I do
"pfctl -F Source". But if I do the second approach, I will flush all my
references and sessions for this and all other source-tracks data in my
firewall.
Possible solutions I see:
The only solution I found was to change PF source code, where we could:
1) Create something similar to "pfctl -k" used for states, but "Source"
version of it.
In this case, to delete a server, we would do
pfctl -t lb -T del 10.0.0.2
pfctl -new -flag 10.0.0.2
2) Make sticky-address verify if the IP address is still in the load
balacing options (in this case, if it is on <lb> table still). This
second approach would (maybe) suffer from performance issues, since we
are adding a new check before stick-address handles the request.
Anyone has any better option?
Does any hacker have available time to do this?
Thank you a lot.
--
Diego Linke
Public Key: http://www.gamk.com.br/gamk.asc
