Re: Round robin load balance to local port range

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Kapetanakis Giannis wrote:
> I'm trying to load balance (round robin) to multiple instances of openvpn
> running locally in ports 9000-9004 without luck.
> 
> 2.6.30.9-96.fc11 / iptables-1.4.3.1-1.fc11
> 
> For testing I tried first on the output chain to see if it works.
> 
> iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j
> DNAT --to-destination :9000-9004
> iptables -t filter -I INPUT 1 -m tcp -p tcp --dport 9000:9004 -j LOG
> 
> telnet 127.0.0.1 8000
> telnet 127.0.0.1 8000
> telnet 127.0.0.1 8000
> 
> ...
> 
> As you can see all connections are natted but only port 9000 is being
> used from the range.
> 
> I also tried with redirect
> iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j
> REDIRECT --to-ports 9000-9004
> or even
> iptables -t nat -A OUTPUT -d 127.0.0.1 -m tcp -p tcp --dport 8000 -j
> DNAT --to-destination 127.0.0.1:9000-9004
> 
> same results, only port 9000.
> 
> According to the man page:
> 
> In  Kernels  up  to  2.6.10 you can add several --to-destination
>               options. For those kernels, if you specify more than one 
> desti-
>               nation   address,  either  via  an  address  range  or 
> multiple
>               --to-destination  options,  a  simple  round-robin  (one  
> after
>               another  in  cycle)  load  balancing  takes  place between
> these
>               addresses.  Later Kernels (>= 2.6.11-rc1) don’t have the
> ability
>               to NAT to multiple ranges anymore.
> 
> Either the kernel is doing some kind of hashing based on my src-ip
> instead of round-robin
> or the last phrase should change "to ranges anymore" instead of
> "multiple ranges anymore"
> 
> I'm using a single range (ports 9000-9004) thus not multiple ranges.
> 
> Am I doing something wrong here or is it something I don't get?

The manpage is incorrect (patches welcome :), it will use the first
port as long as the tuples don't clash. The --random option can be
used to randomly select a port from the range.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux