search

zevenet / zlb

ZEVENET becomes SKUDONET and RELIANOID
Other
143 stars 29 forks source link

LSLB ALL protocol does not listen to UDP #95

Closed kkuphal closed 3 years ago

kkuphal commented 3 years ago

Attempting to configure a simple DNS load balancer to listen on TCP and UDP. Zevenet does not allow for multiple farms on the same IP:PORT so I cannot set one to UDP and one to TCP. Per the documentation, a protocol of ALL on a Virtual IP should listen to all ports. However, it only listens on TCP. I have confirmed this with PortQry.

How can DNS be load balanced with Zevenet as it requires both TCP and UDP?

cano-devel commented 3 years ago

Hello @kkuphal It should work properly configuring ALL protocols in the L4xNAT farm. I confirmed it with the latest ZEVENET version (5.11.2). You can check the rules created in the load balancer executing the command "nft list ruleset" via SSH. It should contain two maps as the following (5.5.5.5 is the farm vip):

map nat-services {
    type inet_proto . ipv4_addr : verdict
    elements = { tcp . 5.5.5.5 : goto nat-FARMNAME,
             udp . 5.5.5.5 : goto nat-FARMNAME,
             sctp . 5.5.5.5 : goto nat-FARMNAME }
}

map filter-services {
    type inet_proto . ipv4_addr : verdict
    elements = { tcp . 5.5.5.5 : goto filter-FARMNAME,
             udp . 5.5.5.5 : goto filter-FARMNAME,
             sctp . 5.5.5.5 : goto filter-FARMNAME }
}

If these maps exist the load balancer will forward the traffic to the backends, in this case, the issue could be in the backend or in the PortQry tool.

Best regards

ap-atd commented 3 years ago

Hello,

I can confirm we are seeing a simlair issue...

Steps Taken

  1. Created two new Zevenet (5.11.0) VMs on VMWare 6.7 from CE ISO.
  2. Configured pair into a cluster.
  3. Tested fail-over on cluster.
  4. Setup simple LSLB > TCP > 53 (Telnet works fine)
  5. Setup simple LSLB > UDP > 53 (Dig works fine)
  6. Setup LSLB > ALL > Backends Forwarding to 53 (Telnet works fine, dig does NOT)
  7. Setup LSLB > ALL > Backends Forwarding without port (Telnet works fine, dig does NOT)

Investigating the "nft list ruleset" and it appears that the UDP entries are missing...

... snip ...

        map nat-services {
                type ipv4_addr : verdict
                elements = { 172.16.x.x : goto nat-FARM-NAME }
        }

... snip ...

        map filter-services {
                type ipv4_addr : verdict
                elements = { 172.16.x.x : goto filter-FARM-NAME }
        }

... snip ...

       chain filter-FARM-NAME {
                ct state new ct mark 0x00000000 ct mark set numgen random mod 1 map { 0 : 0x80000203 }
        }

        chain nat-FARM-NAME {
                ip protocol tcp ct mark 0x80000203 dnat to 172.16.x.x:53
                <Missing UDP entry?>
        }

I will try to upgrade to the latest version and see if that fixes it.

daymickcorr commented 3 years ago

HI,

After updating to 5.11.2 through apt the issue is resolved.

Thank you