[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: load balance (rdr) with tables



Hi Daniel,

thanks a bunch for all your work with pf.

'Does not work' means that the packets are not matching the rdr rule when a table is used:
--------
# pfctl -vvsn
@0 rdr on xl0 proto tcp from any to any port = smtp -> <smtp> round-robin sticky-address
[ Evaluations: 14 Packets: 0 Bytes: 0 States: ]
@1 rdr on xl0 proto tcp from any to any port = http -> <smtp> round-robin sticky-address
[ Evaluations: 12 Packets: 0 Bytes: 0 States: ]
@2 rdr on xl0 proto tcp from any to any port = pop3 -> <smtp> round-robin sticky-address
[ Evaluations: 8 Packets: 0 Bytes: 0 States: ]
@3 rdr on xl0 proto tcp from any to any port = imap -> <smtp> round-robin sticky-address
[ Evaluations: 8 Packets: 0 Bytes: 0 States: ]
@4 rdr on xl0 proto tcp from any to any port = https -> <smtp> round-robin sticky-address
[ Evaluations: 8 Packets: 0 Bytes: 0 States: ]
--------


But if I instead of a table, I use a macro with the same addresses, the same rdr rule redirects the packets to the pool just fine (check the ruleset below).

I tested from many source addresses, and the problem doesn't seems to be the stickiness of the sessions. Pf maintains the session just fine, and stickyness works if I use a macro though.

I changed my fw rules to something very simple for testing purposes (the commented out rdr rule with the macro works fine, when enabled):
------
ext_if = "xl0"
int_if = "fxp0"
int_net = "10.10.10.0/24"
fw_yvr = "209.82.78.2"
dev_server = "209.61.244.4"
mail_pool = "{10.10.10.10/32, 10.10.10.11/32}"
table <smtp> persist {10.10.10.10/32, 10.10.10.11/32}


rdr pass on $ext_if proto tcp from any to any port {25 80 110 143 443} -> <smtp> sticky-address
#rdr pass on $ext_if proto tcp from any to any port {25 80 110 143 443} -> $mail_pool round-robin sticky-address


# packet filtering rules
pass quick on lo0 all
pass in log quick on $ext_if from $fw_yvr to any keep state
pass in quick on $ext_if from $dev_server to any keep state
pass out quick on $ext_if proto {tcp,udp,icmp} all keep state
block in log quick on $ext_if
--------


This is pfctl -vvss when I use the table (the port 22 rule is not a part of the rdr, though):
------
self tcp 207.228.225.135:22 <- 209.82.78.2:56824 ESTABLISHED:ESTABLISHED
[1530102845 + 33256] [1671572552 + 33304]
age 00:00:34, expires in 24:00:00, 25:16 pkts, 1972:2064 bytes, rule 1
-------



This is pfctl -vvss when I use a macro instead:
-----------
self tcp 10.10.10.10:443 <- 207.228.225.135:443 <- 209.82.78.2:53175 ESTABLISHED:ESTABLISHED
[4203246125 + 16886] [3366592452 + 65535]
age 00:00:04, expires in 23:59:57, 8:7 pkts, 1456:2775 bytes, sticky-address
id: 41d391050000d5b2 creatorid: 6c2dd1bf
self tcp 207.228.225.135:22 -> 209.82.78.2:56824 ESTABLISHED:ESTABLISHED
[1530285165 + 33256] [1671636312 + 33304]
age 00:03:53, expires in 24:00:00, 49:69 pkts, 9380:5220 bytes, rule 9
id: 41d391050000d5ac creatorid: 6c2dd1bf
self tcp 10.10.10.10:80 <- 207.228.225.135:80 <- 207.228.226.6:54833 FIN_WAIT_2:FIN_WAIT_2
[2844882315 + 49332] [692242652 + 65534]
age 00:00:23, expires in 00:01:07, 6:4 pkts, 469:476 bytes, sticky-address
id: 41d391050000d5b1 creatorid: 6c2dd1bf
self tcp 10.10.10.11:80 <- 207.228.225.135:80 <- 66.36.226.248:4627 CLOSED:SYN_SENT
[0 + 57344] [3720571632 + 1]
age 00:00:29, expires in 00:00:23, 7:1 pkts, 356:56 bytes, sticky-address
id: 41d391050000d5b0 creatorid: 6c2dd1bf
--------


/var/log/messages doesnt return anything when I'm using a table. But when I'm using the macro, this is what I get:
---- Jan 17 20:18:56 fas250-mgmt kernel: pf_map_addr: selected address 10.10.10.11
Jan 17 20:19:08 fas250-mgmt kernel: pf_map_addr: selected address 10.10.10.11
Jan 17 20:19:15 fas250-mgmt kernel: pf_map_addr: selected address 10.10.10.10
----



This is the result of pfctl -vvsT and pfctl -t smtp -vvTs. The results never change after the connection attempts.
# pfctl -vvsT
No ALTQ support in kernel
ALTQ related functions disabled
-pa-r- smtp
Addresses: 2
Cleared: Mon Jan 17 20:06:58 2005
References: [ Anchors: 0 Rules: ]
Evaluations: [ NoMatch: 0 Match: ]
In/Block: [ Packets: 0 Bytes: ]
In/Pass: [ Packets: 0 Bytes: ]
In/XPass: [ Packets: 0 Bytes: ]
Out/Block: [ Packets: 0 Bytes: ]
Out/Pass: [ Packets: 0 Bytes: ]
Out/XPass: [ Packets: 0 Bytes: ]


# pfctl -t smtp -vvsT
No ALTQ support in kernel
ALTQ related functions disabled
-pa-r- smtp
Addresses: 2
Cleared: Mon Jan 17 20:06:58 2005
References: [ Anchors: 0 Rules: ]
Evaluations: [ NoMatch: 0 Match: ]
In/Block: [ Packets: 0 Bytes: ]
In/Pass: [ Packets: 0 Bytes: ]
In/XPass: [ Packets: 0 Bytes: ]
Out/Block: [ Packets: 0 Bytes: ]
Out/Pass: [ Packets: 0 Bytes: ]
Out/XPass: [ Packets: 0 Bytes: ]



So, it just looks like pf cannot match the rdr rule when a table is used. Again, I'm using the version of PF that comes with freebsd 5.3.


Thanks a lot!
G

----- Original Message ----- From: "Daniel Hartmeier" <[email protected]>
To: "Gustavo A. Baratto" <[email protected]>
Cc: <[email protected]>
Sent: Saturday, January 15, 2005 3:46 PM
Subject: Re: load balance (rdr) with tables



On Thu, Jan 13, 2005 at 05:32:45PM -0800, Gustavo A. Baratto wrote:

the rdr rule that DOES NOT work is this:
---
table <smtp> persist {10.10.10.10, 10.10.10.11}
rdr pass on $ext_if proto tcp from any to any port {25 110 143} ->
<smtp> round-robin sticky-address
---

Can you be a little more specific about what 'does not work'? What do you expect it to do, precisely, and how does what you observe it doing differ from those expectations?

Does the rule not apply and fail to replace connections' destination
addresses? Try to establish a couple of connections that the rdr rule
should apply to, then check related output of pfctl -vss. How are
destination addresses replaced?

Does the rule apply, but not cycle through both addresses in the table?
You're testing from different source addresses, understanding what
'sticky-address' is supposed to do, right?

Does it cycle through both addresses, but not honour 'sticky' to use the
same one for multiple connections from the same source?

Can you enable verbose debug logging with pfctl -x m and check
/var/log/messages for lines from pf (generated while trying to establish
a connection through the rdr rule)?

What do pfctl -vvsT and pfctl -t smtp -vvTs print? Does the output
change after connection attempts?

Daniel