Round robin load balance to local port range

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

I'm trying to load balance (round robin) to multiple instances of openvpn
running locally in ports 9000-9004 without luck.

2.6.30.9-96.fc11 / iptables-1.4.3.1-1.fc11

For testing I tried first on the output chain to see if it works.

iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j DNAT --to-destination :9000-9004
iptables -t filter -I INPUT 1 -m tcp -p tcp --dport 9000:9004 -j LOG

telnet 127.0.0.1 8000
telnet 127.0.0.1 8000
telnet 127.0.0.1 8000

Nov 6 17:27:20 localhost kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=37697 DF PROTO=TCP SPT=35462 DPT=9000 WINDOW=32792 RES=0x00 SYN URGP=0 Nov 6 17:27:21 localhost kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=30693 DF PROTO=TCP SPT=35463 DPT=9000 WINDOW=32792 RES=0x00 SYN URGP=0 Nov 6 17:27:22 localhost kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=12621 DF PROTO=TCP SPT=35464 DPT=9000 WINDOW=32792 RES=0x00 SYN URGP=0


As you can see all connections are natted but only port 9000 is being used from the range.

I also tried with redirect
iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j REDIRECT --to-ports 9000-9004
or even
iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j DNAT --to-destination 127.0.0.1:9000-9004

same results, only port 9000.

According to the man page:

In  Kernels  up  to  2.6.10 you can add several --to-destination
options. For those kernels, if you specify more than one desti- nation address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load balancing takes place between these addresses. Later Kernels (>= 2.6.11-rc1) donʼt have the ability
              to NAT to multiple ranges anymore.

Either the kernel is doing some kind of hashing based on my src-ip instead of round-robin or the last phrase should change "to ranges anymore" instead of "multiple ranges anymore"

I'm using a single range (ports 9000-9004) thus not multiple ranges.

Am I doing something wrong here or is it something I don't get?

best regards,

Giannis

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux