Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
61626364656667686970
When a packet comes in, IPFilter first evaluates the NAT rules. IPFilter rewrites the destination
address and port number based on the NAT rule. IPFilter then evaluates the filter rules. With
the rewritten destination address and port number, the packet matches the pass in rule.
6.4.3 Using the rdr and round-robin Keywords for Load Balancing
You can use the rdr keyword with the round-robin keyword to implement load-balancing
systems and redirect traffic to multiple addresses. Separate the target addresses with a comma.
For example:
rdr lan0 20.20.20.5/32 port 80 -> 192.168.0.5,192.168.0.6 port 8000 round-robin
You can specify only two target addresses in each round-robin rule, but you can configure
two rdr rules for the same interface, for a total of four target addresses. IPFilter will load balance
the packets equally between all four target addresses. For example:
rdr lan0 0.0.0.0 -> 192.168.0.1,192.168.0.2 round-robin
rdr lan0 0.0.0.0 -> 192.168.0.3,192.168.0.4 round-robin
6.4.4 Sticky NAT Sessions
NAT sessions can be redirected to the same destination IP to achieve source IP-based persistence.
This feature only works with rdr NAT rule.
The following example creates sticky sessions with all packets coming to 10.1.1.40 redirected to
10.1.1.41 and 10.1.1.27. Round-robin algorithm is used for load balancing because the sticky
session feature ensures that all packets go to same IP address as the first packet.
rdr lan4 10.1.1.40/32 port 23 -> 10.1.1.41,10.1.1.27 port 23 tcp round-robin sticky
For more information, see the ipnat(4) manpage.
NOTE: This is available only on HP-UX 11i v3.
6.4.5 Checking Connection Health with l4check
A load balancer continually checks the health of the servers to ensure client connections are not
forwarded to servers that are down or failed. Sometimes the server is up and responsive, but the
application it is hosting is dead or unresponsive.
Health checks can be in-band or out-of-band checks. In-band checks use the traffic flow between
clients and servers to check server health. For example, the health of a TCP-based application is
checked by monitoring the TCP 3-way handshake. An incomplete handshake indicates that the
server or application is not working. This check can be followed by additional checks to confirm
the situation. Out-of-band health checks are explicit health checks made by the load balancer.
The l4check utility monitors for dead IP/port pairs and dynamically removes them from the
list of load balanced IP addresses. This utility comes with the /etc/opt/ipf/l4check.conf
file that is used to configure the remote IP addresses of servers where connection requests are
redirected.
NOTE: This is available only on HP-UX 11i v3.
6.4.5.1 Syntax
l4check -f <config file>
6.4.5.2 Options
-n Stops action. No NAT rules are added or deleted.
-v Turns on verbose output.
6.4 rdr: Redirecting Inbound Packets 69