Hi,
I'm in the process of configuring a layer-3 hoststated load balancer
here and I can't seem to get it to work. From what I can tell,
hoststated never creates the relevant `rdr' rules in pf.
My configuration files are pasted at the end of the email.
I think I configured both pf and hoststated properly, maybe I'm just
missing some diagnostic tools or perspective on how this actually
works...
Here are the factoids:
1. pf is enabled and has the rdr-anchor set:
# pfctl -s all | head -3
TRANSLATION RULES:
rdr-anchor "hoststated/*" all
2. hoststated is started and has the service properly setup:
# hoststatectl show summary
Type Id Name Avlblty Status
service 0 www active
table 0 webhosts active (1 hosts
up)
host 1 209.44.112.87 0.00% down
host 0 209.44.112.66 100.00% up
table 1 fallback disabled
3. pf never gets any rdr rule from hoststated:
# pfctl -s all | grep rdr
rdr-anchor "hoststated/*" all
What am I doing wrong?
A.
Additionnal details:
# uname -a
OpenBSD rtr1-canix2.koumbit.net 4.2 GENERIC.RAID#1 amd64
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33168
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:15:17:29:68:db
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::215:17ff:fe29:68db%em0 prefixlen 64 scopeid 0x1
inet 64.15.66.18 netmask 0xfffffffc broadcast 64.15.66.19
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:15:17:29:68:dc
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::215:17ff:fe29:68dc%em1 prefixlen 64 scopeid 0x2
inet 209.44.112.1 netmask 0xffffffe0 broadcast 209.44.112.31
enc0: flags=0<> mtu 1536
vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:15:17:29:68:dc
vlan: 1 priority: 0 parent interface: em1
groups: vlan
inet6 fe80::215:17ff:fe29:68dc%vlan1 prefixlen 64 scopeid 0x7
inet 209.44.112.65 netmask 0xffffffc0 broadcast 209.44.112.127
vlan60: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:15:17:29:68:dc
vlan: 60 priority: 0 parent interface: em1
groups: vlan
inet6 fe80::215:17ff:fe29:68dc%vlan60 prefixlen 64 scopeid 0x8
inet 209.44.112.129 netmask 0xffffffc0 broadcast 209.44.112.192
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33168
groups: pflog
-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<------
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
# net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# facilitate debugging by not silently drop refused packets
# return a TCP RST or ICMP Unreachable packet
set block-policy return
rdr-anchor "hoststated/*"
# block spoofing for rfc1918 hosts (ie. don't allow those addresses on
# external interface)
table <private> const { 10/8, 172.16/12, 192.168/16 }
# a static table that can be used temporarly to block hosts
# use this command to add hosts to it: pfctl -t badhosts -Tadd
# 204.92.77.111
table <badhosts> persist
block log quick on em0 from { <private>, <badhosts> } to any
table <koumbit> const { 209.44.112.0/24 }
# block spoofing of our addresses from outside
block in log quick on em0 inet from <koumbit> to any
# we could also block people prentending to be this switch
#block in inet from 209.44.112.0/24 to any
# allow traffic with proper addresses through external interface
pass in on em0 from any to <koumbit>
pass out on em0 from <koumbit> to any
# don't filter internal interface
pass quick on em1
pass quick on vlan1
pass quick on vlan60
# safety net for now
pass in quick all
pass out quick all
# default block policy
block log all
-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----
# cat /etc/hoststated.conf
# $OpenBSD: hoststated.conf,v 1.6 2007/02/26 20:43:32 reyk Exp $
# Macros
ext_addr="64.15.66.18"
webhost1="209.44.112.66"
webhost2="209.44.112.87"
# Global Options
interval 10
timeout 200
prefork 5
log all
# Each table will be mapped to a pf table.
table webhosts {
real port http
check http "/" code 302
host $webhost1
host $webhost2
}
# Services will be mapped to a rdr rule.
service www {
virtual host $ext_addr port http interface trunk0
table webhosts
}
--
Antoine BeauprC)
RC)seau Koumbit Networks
+1.514.387.6262
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
