thr3ads.net - Shorewall users - port range round robin behavior [Aug 2010]

If this information is useful, please help other people find it:
Share via:

Michael McCallister

2010-Aug-07 06:24 UTC

port range round robin behavior

Greetings,

I have been using shorewall on a particular gateway for a while now and 
recently tried adding a rule that would load balance requests across 
multiple ports per these DEST instructions (from 
http://www.shorewall.net/manpages/shorewall-rules.html):
> The /port/ may be specified as a service name. You may specify a port 
> range in the form /lowport-highport/ to cause connections to be 
> assigned to ports in the range in round-robin fashion. When a port 
> range is specified, /lowport/ and /highport/ must be given as 
> integers; service names are not permitted. Additionally, the port 
> range may be optionally followed by *:random* which causes assignment 
> to ports in the list to be random.
The rule I added looks like this (there one IP has been "x"ed out):

DNAT    wan1    nat1:192.168.1.6:4343-4344    tcp    43    -    
xxx.xxx.xxx.xxx

I confirmed this rule load correctly and you can see it via "shorewall 
show nat"

    26  1560 DNAT       tcp  --  *      *       0.0.0.0/0            
xxx.xxx.xxx.xxx      tcp dpt:43 to:192.168.1.6:4343-4344

The problem however is that I am not seeing it "cause connections to be 
assigned to ports in the range in round-robin fashion", but rather it 
always sends the request to 192.168.1.6:4343.   192.168.1.6:4344 never 
sees any activity/requests.

Any help/direction is appreciated,
Michael


SW: 4.4.11.1
LK: 2.6.18-194.8.1.el5

shorewall show capabilities | grep Multi
    Multi-port Match: Available
    Extended Multi-port Match: Available

ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
qlen 1000
     link/ether 00:15:17:7b:cd:f8 brd ff:ff:ff:ff:ff:ff
     inet xxx.xxx.xxx.xxx/29 brd xxx.xxx.xxx.xxx scope global eth0
     inet xxx.xxx.xxx.xxx/27 brd xxx.xxx.xxx.xxx scope global eth0:1
     inet xxx.xxx.xxx.xxx/27 brd xxx.xxx.xxx.xxx scope global secondary 
eth0:2
     inet xxx.xxx.xxx.xxx/27 brd xxx.xxx.xxx.xxx scope global secondary 
eth0:3
     inet6 fe80::215:17ff:fe7b:cdf8/64 scope link
        valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
qlen 1000
     link/ether 00:15:17:7b:cd:f9 brd ff:ff:ff:ff:ff:ff
     inet 192.168.0.1/16 brd 192.168.255.255 scope global eth1
     inet6 fe80::215:17ff:fe7b:cdf9/64 scope link
        valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
qlen 1000
     link/ether 00:30:48:63:d8:68 brd ff:ff:ff:ff:ff:ff
     inet 192.168.0.6/16 brd 192.168.255.255 scope global eth2
     inet6 fe80::230:48ff:fe63:d868/64 scope link
        valid_lft forever preferred_lft forever


ip route show
xxx.xxx.xxx.xxx/29 dev eth0  proto kernel  scope link  src xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx/27 dev eth0  proto kernel  scope link  src xxx.xxx.xxx.xxx
169.254.0.0/16 dev eth2  scope link
192.168.0.0/16 dev eth1  proto kernel  scope link  src 192.168.0.1
192.168.0.0/16 dev eth2  proto kernel  scope link  src 192.168.0.6
default via xxx.xxx.xxx.xxx dev eth0



------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can''t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

Tom Eastep

2010-Aug-07 14:48 UTC

head link

Re: port range round robin behavior

On 8/6/10 11:24 PM, Michael McCallister wrote:
> 
> I confirmed this rule load correctly and you can see it via "shorewall
> show nat"
> 
>     26  1560 DNAT       tcp  --  *      *       0.0.0.0/0            
> xxx.xxx.xxx.xxx      tcp dpt:43 to:192.168.1.6:4343-4344
> 
> The problem however is that I am not seeing it "cause connections to
be
> assigned to ports in the range in round-robin fashion", but rather it 
> always sends the request to 192.168.1.6:4343.   192.168.1.6:4344 never 
> sees any activity/requests.
> 
> Any help/direction is appreciated,
Given that Shorewall is generating the correct iptables rule, there
isn''t anything that we can do to change the behavior.

You might try adding the :random option to see if that improves things.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can''t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

Tom Eastep

2010-Aug-07 15:13 UTC

head link

Re: port range round robin behavior

On 8/7/10 7:48 AM, Tom Eastep wrote:> On 8/6/10 11:24 PM, Michael McCallister wrote:
> 
>>
>> I confirmed this rule load correctly and you can see it via
"shorewall
>> show nat"
>>
>>     26  1560 DNAT       tcp  --  *      *       0.0.0.0/0            
>> xxx.xxx.xxx.xxx      tcp dpt:43 to:192.168.1.6:4343-4344
>>
>> The problem however is that I am not seeing it "cause connections
to be
>> assigned to ports in the range in round-robin fashion", but rather
it
>> always sends the request to 192.168.1.6:4343.   192.168.1.6:4344 never 
>> sees any activity/requests.
>>
>> Any help/direction is appreciated,
> 
> Given that Shorewall is generating the correct iptables rule, there
> isn''t anything that we can do to change the behavior.
> 
> You might try adding the :random option to see if that improves things.
It appears that RedHat''s 3-4 year old kit doesn''t support the
:random
option (or at least the open source derivatives of REL5 don''t seem to).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can''t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

Michael McCallister

2010-Aug-07 16:26 UTC

head link

Re: port range round robin behavior

Tom Eastep wrote, On 08/07/2010 08:13 AM:>
> It appears that RedHat''s 3-4 year old kit doesn''t support
the :random
> option (or at least the open source derivatives of REL5 don''t seem
to).
>
> -Tom
Thanks Tom.  Yeah - I noticed :random does not work (issues fatal error 
during start up).  I will find some other workaround.

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can''t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

Shorewall users - Aug 2010 - port range round robin behavior

port range round robin behavior

Re: port range round robin behavior

Re: port range round robin behavior

Re: port range round robin behavior