[Bug 1248] New: The rr-load-balance part doesn't actually work on 0.7
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue Apr 24 10:40:32 CEST 2018
https://bugzilla.netfilter.org/show_bug.cgi?id=1248
Bug ID: 1248
Summary: The rr-load-balance part doesn't actually work on 0.7
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: minor
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: ian.kumlien at gmail.com
This might be known, 0.7 is old - but if it isn't then... ;)
I added two rules like this in table nat, chain prerouting (with a hook):
iifname $ext_if ip saddr $external_dns_servers tcp dport $external_dns_ports
dnat to numgen inc mod 3 map { 0: 10.0.0.2, 1: 10.0.0.3, 2: 10.0.0.4 }
iifname $ext_if ip saddr $external_dns_servers udp dport $external_dns_ports
dnat to numgen inc mod 3 map { 0: 10.0.0.2, 1: 10.0.0.3, 2: 10.0.0.4 }
And they do work, kinda.
The idea is to have external slave DNS servers that are seeded from internal
DNS servers - the seed is pushed out and AXFR requests would be handled by
these rules.
With UDP, when running 4 requests in parallel (tmux, 4 slave servers, do a
lookup) some get the response quickly, but usual delays is 5 -15 seconds - and
1-2 machines gets a connection timeout.
Switching to TCP doesn't help - well, you get connection denied instead of
timeout.
Never tried with the jhash, I wanted some kind of easy reliability setup.. I've
since switched to using nginx as a dns loadbalancer =)
(Fedora is still on 0.7 - i filed a ticket so they say that they will push 8.3
but..)
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180424/9d84bad4/attachment.html>
More information about the netfilter-buglog
mailing list