Load balancing: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(→‎Using Direct Server Return (DSR): Upated link to mangling packet headers.)
 
(6 intermediate revisions by 3 users not shown)
Line 29: Line 29:
               0 : 4040 ,\
               0 : 4040 ,\
               1 : 4050 }
               1 : 4050 }
</source>
Support for random and probability-based distributions also exists:
<source>
% nft add rule nat prerouting numgen random mod 2 vmap { 0 : jump mychain1, 1 : jump mychain2 }
% nft add rule nat prerouting numgen random mod 100 vmap { 0-49 : jump mychain1, 50-99 : jump mychain2 }
</source>
</source>


Line 53: Line 60:
</source>
</source>


This is more lightweight that stateful NAT given there is no flow tracking in place.
This is more lightweight that stateful NAT given there is no flow tracking in place. This is indeed [[Mangling_packet_headers|mangling packet headers]].


== Using Direct Server Return (DSR) ==
== Using Direct Server Return (DSR) ==


This example performs a DSR topology for non connection oriented flows from ingress:
This example performs a DSR topology for connectionless flows from ingress:


<source>
<source>
% nft add rule t c udp dport 53 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set numgen inc mod 2 map { 0 : xx:xx:xx:xx:xx:xx, 1: yy:yy:yy:yy:yy:yy } fwd to eth0
% nft add rule netdev t c udp dport 53 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set numgen inc mod 2 map { 0 : xx:xx:xx:xx:xx:xx, 1: yy:yy:yy:yy:yy:yy } fwd to eth0
</source>
</source>


An approach for connection oriented flows can be performed as shown below.
An approach for connection oriented flows can be performed as shown below:


<source>
<source>
% nft add rule t c tcp dport 80 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set jhash ip saddr . tcp sport mod 2 map { 0 : xx:xx:xx:xx:xx:xx, 1: yy:yy:yy:yy:yy:yy } fwd to eth0
% nft add rule netdev t c tcp dport 80 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set jhash ip saddr . tcp sport mod 2 map { 0 : xx:xx:xx:xx:xx:xx, 1: yy:yy:yy:yy:yy:yy } fwd to eth0
</source>
</source>
Note that xx:xx:xx:xx:xx:xx and yy:yy:yy:yy:yy:yy need to be replaced by the real destination MAC address.
This is [[Mangling_packet_headers|mangling packet headers]] as well.

Latest revision as of 21:55, 16 April 2021

Since nftables v0.7, there is support in place to perform NAT load balancing.

Don't forget the special NAT chain semantics: Only the first packet evaluates the rule, follow up packets rely on conntrack to apply the NAT information.

Round Robin

This method uses the nftables number generator.

The example below is distributing new connections in a round-robin fashion between 192.168.10.100 and 192.168.20.200.

% nft add rule nat prerouting dnat to numgen inc mod 2 map { \
               0 : 192.168.10.100, \
               1 : 192.168.20.200 }

You can also emulate flow distribution with different backend weights using intervals:

% nft add rule nat prerouting dnat to numgen inc mod 10 map { \
               0-5 : 192.168.10.100, \
               6-9 : 192.168.20.200 }

The distribution can be based on ports as well:

% nft add rule nat prerouting ip protocol tcp dnat to 192.168.1.100 : numgen inc mod 2 map {\
               0 : 4040 ,\
               1 : 4050 }

Support for random and probability-based distributions also exists:

% nft add rule nat prerouting numgen random mod 2 vmap { 0 : jump mychain1, 1 : jump mychain2 }
% nft add rule nat prerouting numgen random mod 100 vmap { 0-49 : jump mychain1, 50-99 : jump mychain2 }

Consistent Hash-based Distribution

Using the nftables internal hashing mechanisms.

% nft add rule x y dnat to jhash ip saddr . tcp dport mod 2 map { \
                0 : 192.168.20.100, \
                1 : 192.168.30.100 }

This relies on the Jenkins hash.

Using stateless NAT

You can perform load balancing through stateless NAT approach as well. You can combine this either with the round robin and consistent hash-based distribution approaches.

The example below uses Round Robin flow distribution:

% nft add rule t c tcp dport 80 ip daddr set numgen inc mod 2 map { 0 : 192.168.1.100, 1 : 192.168.1.101 }

This is more lightweight that stateful NAT given there is no flow tracking in place. This is indeed mangling packet headers.

Using Direct Server Return (DSR)

This example performs a DSR topology for connectionless flows from ingress:

% nft add rule netdev t c udp dport 53 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set numgen inc mod 2 map { 0 : xx:xx:xx:xx:xx:xx, 1: yy:yy:yy:yy:yy:yy } fwd to eth0

An approach for connection oriented flows can be performed as shown below:

% nft add rule netdev t c tcp dport 80 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set jhash ip saddr . tcp sport mod 2 map { 0 : xx:xx:xx:xx:xx:xx, 1: yy:yy:yy:yy:yy:yy } fwd to eth0

Note that xx:xx:xx:xx:xx:xx and yy:yy:yy:yy:yy:yy need to be replaced by the real destination MAC address. This is mangling packet headers as well.