2004-04-14, sze keltezéssel 01:17-kor Sheldon Hearn ezt írta:
Ideally, what the back load balancer for a Zorp cluster needs to do is this:
1) When a SYN comes in from a Zorp host, create a new connection table entry, including the Layer 2 (Ethernet) address of the packet in the entry.
2) When a packet comes back from the servers and is associated with a connection table entry based on Layer 3 and 4 features, route the packet via the Layer 2 address stored in the entry.
I've contacted 3 vendors and an open source group looking for a solution like this. Here are the responses:
1) Cisco say their 650x with Content Switching Module support transparent proxy firewalls, and a friend of mine at Cisco confirms this.
We are also using Cisco CSMs for this purpose. They are doing some kind of TCP state tracking (I believe it is a simple timeout) and reply packets are sent back where they came from. The load balancing decision is based on the IP address in our case, but AFAIK they can also do RR, but it makes debugging problems a nightmare.
4) The folks on the LVS mailing list can't think of anything better than the SH/DH approach.
In addition to LVS you can also implement load balancing via iptables conntrack and connmark. When the first packet of a given connection is received at the LB box you mark it with a connection mark, this is the LB decision and you can base it on anything you want to. (for example source port value, but simple RR or random assignment might also work) Decision based on the source port can be done using the u32 match, for RR and random marks you will need to create custom iptables modules. The connmark value selects which Zorp box you are going to use to proxy that specific connection. Then copy this connmark to every packet belonging to the same connection as an fwmark (CONNMARK --save-mark IIRC), then do policy routing based on fwmark, and select different gateways depending on the fwmark.
Now a Cisco 650x w/ CSM costs more than USD 70,000. That's a lot of money to spend on a load balancer for 4 Zorp boxes!
true, Cisco products are exremely expensive. There are other load balancers like radware, bigip or flatiron. They are somewhat cheaper. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1