Re: Load Balance with health checks software?]

Clifford Heath wrote:
> What you're suggesting requires some of the same things I'd like to
> use for butler, my secret-knock program. Namely, a ipf/ipnat API that
> contains the rule parser and code to manage dynamic rules. As it is,
> I'm going to get butler to call a preprocessor and then run ipf. I
> suppose that the ipf command line forms a type of API, but it isn't
> as powerful as I'd like.
>
> An API would also support the construction of a rule-management user
> interface, perhaps remote, which would be a good thing.

Spawning ipf/ipnat to send it rules would work, but be somewhat undesirable. It
would be nicer if, as you suggest, sufficient support with rules could be lifted
into a libipf or similar - so that one could talk directly with the kernel
(without having to talk directly with the kernel).

But, if I understand things correctly, it should be possible for me to also send
ioctl()s to accomplish the rules add/remove - that is what the commands do
AFAIK. If the ioctl()s did not change too often between version revisions, that
could be stable enough to be worth doing.


>
> I believe it can if you don't use -F (for flush).

Ah! I hadn't taken the seconds it would to read the man-page. I just assumed
everything would go according to the plan.. :)


> I'm not familiar with the work that's happening in the Linux world, but
> I
> do know that there's been a lot of work on iptables & ipchains, so
> perhaps
> they would be alternatives for you.
>

I would rather not run Linux. Also it would be preferable to invest a little
time to make something that would work on all OSs. Failing that, work on all
that support IPFilter :)


>
>>I would imagine I could potentially also add rules to "log" any RST
>
> Meaning that the service has gone down but not the computer.
> That would be useful.

Just a means of detecting a shutdown service faster. I was concern about the
potential DOS side-effects if I went to trust this RST directly. But I suppose
you could just trigger an immediate "service-recheck" instead of trusting it
implicitly.

I have never done any rules with "log" yet, so I only have a vague idea on how
they work. I'm guessing I can read /dev/ipmon to read any rules that were hit by
a "log" entry.

Thanks to those that have replied. I'm somewhat spoiling for another interesting
project to work on, so I might end up working on this for the fun of it.

Lund

--
Jorgen Lundman | <lundman@lundman.net>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell)
Japan | +81 (0)3 -3375-1767 (home)