Hi,
If I recall correctly, slbd adds new rules to pf for each incoming
tcp session. Since I couldn't get it to work (old version) I do not
know what the session and Sources tables will look like, but I
suspect there will be no problems with them in slbd. Client-server
association is maintained by slbd and implemented with separate rules
for each tcp session.
This seems a bit ineffective and rather pointless since pf has the
load balancing functionality built in.
The problems with using pf and a health checking script is related to
removal of failed backends. There are two separate issues:
1) When using sticky-address in the rdr rules client-server
associations are added to the internal Sources table.
It is impossible to remove entries for a single backend from this
table. If a backend fails and is removed from the rdr destination
table this table will have to be flushed, making all clients end
up on
new backends, wich is unacceptable in many configurations.
If this table is not cleared then the rdr destination table is not
inspected for client IP's found in the Sources table. These clients
will still be sent to the failed and removed backend.
Preferably entries could be removed from this table based on
source-IP and backend-IP:backend-port, and maybe even the virtual
service IP:port or a pf rule number.
2) TCP sessions to a failed backend will continue to exist after the
backend is removed from the rdr destination table. As of today
these
sessions can be removed with pfctl by specifying the source and
destination IP addresses. Since different services can run on
differerent port numbers on the same machines it should be
possible to
specify a destination port number as well.
I guess that if a backend dies then the client is notified about
this
just as if it had been speaking directly to the backend, so it
might
not be necessary to clean out these sessions at all, and maybe even
the tcpdrop tool will do the trick?
Anyway, main issue is with removing single sessions from the internal
Sources table (as it is called in pfctl(8)).
/Pete
On 22. okt. 2006, at 21.13, Kevin Reay wrote:
On 10/22/06, Per-Olov Sjvholm <[EMAIL PROTECTED]> wrote:
Hi again
I am looking at the CVS. I can't see its possible to out of the
box remove
addresses from a round robin scheme in PF against a faulty web
server. Am I
missing something?
But I maybe misunderstood Kevin Reay that in this thread said:
"and it would
automatically remove the address from a pf poll (and optionality
run a
command) when a host failed.".
Maybe I have to do some scripting after all...
It can be a little confusing at first, but it makes a lot of sense
once you understand it. The way I remember it, a person creates a
config file for slbd that defines the various pools and their polling
methods, and slbd creates the load balancing pools in pf at start-up
automatically (in an anchored ruleset). Then it removes entries from
those pools when a server goes down. So... no scripting required.
Of course, Bill Marquette will probably have more knowledge/details
about this then me...
Kevin
