netfilter buglog - Apr 2018 - [Bug 1248] New: The rr-load-balance part doesn't actually work on 0.7

https://bugzilla.netfilter.org/show_bug.cgi?id=1248

            Bug ID: 1248
           Summary: The rr-load-balance part doesn't actually work on 0.7
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: ian.kumlien at gmail.com

This might be known, 0.7 is old - but if it isn't then... ;)

I added two rules like this in table nat, chain prerouting (with a hook):

iifname $ext_if ip saddr $external_dns_servers tcp dport $external_dns_ports
dnat to numgen inc mod 3 map { 0: 10.0.0.2, 1: 10.0.0.3, 2: 10.0.0.4 }

iifname $ext_if ip saddr $external_dns_servers udp dport $external_dns_ports
dnat to numgen inc mod 3 map { 0: 10.0.0.2, 1: 10.0.0.3, 2: 10.0.0.4 }

And they do work, kinda.

The idea is to have external slave DNS servers that are seeded from internal
DNS servers - the seed is pushed out and AXFR requests would be handled by
these rules.

With UDP, when running 4 requests in parallel (tmux, 4 slave servers, do a
lookup) some get the response quickly, but usual delays is 5 -15 seconds - and
1-2 machines gets a connection timeout.

Switching to TCP doesn't help - well, you get connection denied instead of
timeout.

Never tried with the jhash, I wanted some kind of easy reliability setup..
I've
since switched to using nginx as a dns loadbalancer =)

(Fedora is still on 0.7 - i filed a ticket so they say that they will push 8.3
but..)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180424/9d84bad4/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1248

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fw at strlen.de

--- Comment #1 from Florian Westphal <fw at strlen.de> ---
(In reply to Ian Kumlien from comment #0)
> iifname $ext_if ip saddr $external_dns_servers tcp dport
$external_dns_ports
> dnat to numgen inc mod 3 map { 0: 10.0.0.2, 1: 10.0.0.3, 2: 10.0.0.4 }
>
Does this still cause a problem for you?
There was a bug wrt. set lookups on big-endian machines, what architecture are
you using?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/4eea76d8/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1248

--- Comment #2 from Ian Kumlien <ian.kumlien at gmail.com> ---
I haven't tested it since, since it didn't actually work ;)

This was tested on intel machines, so all little-endian

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/71aa8712/attachment.html>