|
On Mon, 24 Sep 2001, Zachariah Mully wrote:
> > Correct me if I'm wrong, but by the time you see the content in the
> > request fly by, the connection is already established. By
> > that time, it's
> > too late, since you've _already_ done the load balancing yes?
>
> Not if you're doing this on your firewall. In that case, you could make
> the decision to accept the connection and mark it to be passed on to the
> director. Even if you weren't able to do this on your firewall (stuck
> with a Pix or Nokia xxx), you could still do this on your director, i.e.
> the director/firewall combo... I am assuming though that packets will be
> first inspected by any iptables rules you have setup before being pass
> into the LVS layer. With fwmarks this would be a cheap and easy way to
> make a L7 lvs system.
No. LVS takes the decision at the first packet arrived (SYN/-, no data). When
the packet containing data arrives it is too late to take a load-balancing
decision. However you could do filtering this way - you wait until the
connection expires due to timeout - not very efficient.
However, this could work for UDP-based services, where there's no need to
establish a connection (at least at transport-layer level).
Radu-Adrian Feurdean
mailto: raf @ chez.com
-------------------------------------------------------------
Majority: The quantity that distinguishes a crime from a law.
|
