Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T5171: Use XML for loadbalancing wan instead of old templates #1973

Merged
merged 1 commit into from May 4, 2023
Merged

T5171: Use XML for loadbalancing wan instead of old templates #1973

merged 1 commit into from May 4, 2023

Conversation

sever-sever
Copy link
Member

@sever-sever sever-sever commented Apr 28, 2023
edited

Change Summary

Use XML and python3 for load-balancing wan
Use Jinja2 templates instead of old vyatta-wanloadbalance.pl to
generate configuration /run/load-balance/wlb.conf which is used by /opt/vyatta/sbin/wan_lb

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related PR

vyos/vyatta-wanloadbalance#17

Related Task(s)

Component(s) name

loadbalancing

Proposed changes

How to test

VyOS configuration

set load-balancing wan disable-source-nat
set load-balancing wan enable-local-traffic
set load-balancing wan flush-connections
set load-balancing wan hook '/bin/true'
set load-balancing wan interface-health eth1 failure-count '1'
set load-balancing wan interface-health eth1 nexthop 'dhcp'
set load-balancing wan interface-health eth1 success-count '1'
set load-balancing wan interface-health eth1 test 10 resp-time '5'
set load-balancing wan interface-health eth1 test 10 target '1.1.1.1'
set load-balancing wan interface-health eth1 test 10 ttl-limit '20'
set load-balancing wan interface-health eth1 test 10 type 'ping'
set load-balancing wan interface-health eth1 test 20 resp-time '5'
set load-balancing wan interface-health eth1 test 20 target '1.1.1.1'
set load-balancing wan interface-health eth1 test 20 ttl-limit '23'
set load-balancing wan interface-health eth1 test 20 type 'ttl'
set load-balancing wan interface-health eth1 test 30 resp-time '5'
set load-balancing wan interface-health eth1 test 30 test-script '/bin/true'
set load-balancing wan interface-health eth1 test 30 ttl-limit '1'
set load-balancing wan interface-health eth1 test 30 type 'user-defined'
set load-balancing wan interface-health eth2 failure-count '1'
set load-balancing wan interface-health eth2 nexthop 'dhcp'
set load-balancing wan interface-health eth2 success-count '1'
set load-balancing wan rule 10 inbound-interface 'eth3'
set load-balancing wan rule 10 interface eth1 weight '1'
set load-balancing wan rule 10 interface eth2 weight '1'
set load-balancing wan rule 10 per-packet-balancing
set load-balancing wan rule 10 protocol 'all'
set load-balancing wan rule 10 source address '198.51.100.0/24'
set load-balancing wan rule 20 destination port '22'
set load-balancing wan rule 20 failover
set load-balancing wan rule 20 inbound-interface 'eth4'
set load-balancing wan rule 20 interface eth1 weight '10'
set load-balancing wan rule 20 interface eth2 weight '1'
set load-balancing wan rule 20 protocol 'tcp'
set load-balancing wan rule 20 source address '192.0.2.0/28'
set load-balancing wan rule 30 destination address '192.0.2.72'
set load-balancing wan rule 30 exclude
set load-balancing wan rule 30 inbound-interface 'eth4'
set load-balancing wan rule 30 protocol 'tcp'
set load-balancing wan rule 40 failover
set load-balancing wan rule 40 inbound-interface 'eth4'
set load-balancing wan rule 40 interface eth1 weight '10'
set load-balancing wan rule 40 interface eth2 weight '1'
set load-balancing wan rule 40 limit burst '5'
set load-balancing wan rule 40 protocol 'tcp'
set load-balancing wan rule 40 source address '192.0.2.0/25'
set load-balancing wan rule 40 source port '2000-25000'
set load-balancing wan sticky-connections inbound

Check processes:

vyos@r14# ps ax | grep load
  23247 ?        S      0:00 /opt/vyatta/sbin/wan_lb -f /run/load-balance/wlb.conf -d -i /var/run/vyatta/wlb.pid
  23248 ?        S      0:00 /opt/vyatta/sbin/wan_lb -f /run/load-balance/wlb.conf -d -i /var/run/vyatta/wlb.pid

Show loadbalancing

vyos@r14# run show w
wan-load-balance  webproxy          
[edit]
vyos@r14# run show wan-load-balance 
Interface:  eth1
  Status:  active
  Last Status Change:  Tue May  2 12:41:39 2023
  -Test:  ping  Target: 1.1.1.1
  -Test:  ttl   Target: 1.1.1.1
  +Test:  user  Script: /bin/true
    Last Interface Success:  0s 
    Last Interface Failure:  n/a                
    # Interface Failure(s):  0

Interface:  eth2
  Status:  active
  Last Status Change:  Tue May  2 12:41:55 2023
  +Test:  ping  Target: 192.168.100.1
    Last Interface Success:  5s 
    Last Interface Failure:  1m1s       
    # Interface Failure(s):  0

[edit]
vyos@r14#

Generated wlb.conf

vyos@r14# cat /run/load-balance/wlb.conf 
# Generated by /usr/libexec/vyos/conf_mode/load-balancing-wan.py

disable-source-nat
enable-local-traffic
sticky-connections inbound
flush-conntrack
hook "/bin/true"
health {
    interface eth1 {
        failure-ct  1
        success-ct  1
        nexthop dhcp
        rule 10 {
            type ping {
                target 1.1.1.1 
                resp-time 5000
            }
        }
        rule 20 {
            type udp {
                ttl 23
                target 1.1.1.1 
                resp-time 5000
            }
        }
        rule 30 {
            type user-defined {
                test-script /bin/true
                resp-time 5000
            }
        }
    }
    interface eth2 {
        failure-ct  1
        success-ct  1
        nexthop dhcp
    }
}

rule 10 {
    per-packet-balancing
    protocol all
    source {
        address "198.51.100.0/24"
    }
    inbound-interface eth3
    interface eth1 {
        weight 1
    }
    interface eth2 {
        weight 1
    }
}
rule 20 {
    failover
    protocol tcp
    destination {
        port-ipt " --dport 22"
    }
    source {
        address "192.0.2.0/28"
    }
    inbound-interface eth4
    interface eth1 {
        weight 10
    }
    interface eth2 {
        weight 1
    }
}
rule 30 {
    exclude
    protocol tcp
    destination {
        address "192.0.2.72"
    }
    inbound-interface eth4
}
rule 40 {
    failover
    limit {
        burst 5
        rate 5
        period second
        thresh below
        }
    protocol tcp
    source {
        address "192.0.2.0/25"
        port-ipt "-m multiport  --sports 2000:25000"
    }
    inbound-interface eth4
    interface eth1 {
        weight 10
    }
    interface eth2 {
        weight 1
    }
}

Nftable table mangle:

vyos@r14# sudo nft list table ip mangle
# Warning: table ip mangle is managed by iptables-nft, do not touch!
table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
		iifname "eth2" ct state new counter packets 0 bytes 0 jump ISP_eth2_IN
		iifname "eth1" ct state new counter packets 0 bytes 0 jump ISP_eth1_IN
		counter packets 804 bytes 131832 jump WANLOADBALANCE_PRE
	}

	chain OUTPUT {
		type route hook output priority mangle; policy accept;
		counter packets 635 bytes 137996 jump WANLOADBALANCE_OUT
	}

	chain WANLOADBALANCE_PRE {
		iifname "eth3" ip saddr 198.51.100.0/24 meta random & 2147483647 < 1073741824 counter packets 0 bytes 0 jump ISP_eth1
		iifname "eth3" ip saddr 198.51.100.0/24 counter packets 0 bytes 0 jump ISP_eth2
		iifname "eth3" ip saddr 198.51.100.0/24 counter packets 0 bytes 0 meta mark set ct mark
		iifname "eth4" ip saddr 192.0.2.0/28 tcp dport 22 ct state new counter packets 0 bytes 0 jump ISP_eth1
		iifname "eth4" ip saddr 192.0.2.0/28 tcp dport 22 counter packets 0 bytes 0 meta mark set ct mark
		iifname "eth4" meta l4proto tcp ip daddr 192.0.2.72 counter packets 0 bytes 0 accept
		iifname "eth4" meta l4proto tcp ip saddr 192.0.2.0/25 tcp sport 2000-25000 limit rate 5/second counter packets 0 bytes 0 jump WANLOADBALANCE_PRE_LIMIT_40
		iifname "eth4" meta l4proto tcp ip saddr 192.0.2.0/25 tcp sport 2000-25000 counter packets 0 bytes 0 meta mark set ct mark
	}

	chain WANLOADBALANCE_OUT {
		meta mark != 0x00000000 counter packets 0 bytes 0 accept
		meta l4proto icmp ip protocol icmp counter packets 86 bytes 6872 accept
		ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 counter packets 0 bytes 0 accept
		oifname != "eth3" ip saddr 198.51.100.0/24 meta random & 2147483647 < 1073741824 counter packets 0 bytes 0 jump ISP_eth1
		oifname != "eth3" ip saddr 198.51.100.0/24 counter packets 0 bytes 0 jump ISP_eth2
		oifname != "eth3" ip saddr 198.51.100.0/24 counter packets 0 bytes 0 meta mark set ct mark
		oifname != "eth4" ip saddr 192.0.2.0/28 tcp dport 22 ct state new counter packets 0 bytes 0 jump ISP_eth1
		oifname != "eth4" ip saddr 192.0.2.0/28 tcp dport 22 counter packets 0 bytes 0 meta mark set ct mark
		meta l4proto tcp ip daddr 192.0.2.72 counter packets 0 bytes 0 accept
		oifname != "eth4" meta l4proto tcp ip saddr 192.0.2.0/25 tcp sport 2000-25000 limit rate 5/second counter packets 0 bytes 0 jump WANLOADBALANCE_OUT_LIMIT_40
		oifname != "eth4" meta l4proto tcp ip saddr 192.0.2.0/25 tcp sport 2000-25000 counter packets 0 bytes 0 meta mark set ct mark
	}

	chain ISP_eth1 {
		counter packets 0 bytes 0 ct mark set 0xc9
		counter packets 0 bytes 0 meta mark set 0xc9
		counter packets 0 bytes 0 accept
	}

	chain ISP_eth1_IN {
		counter packets 0 bytes 0 ct mark set 0xc9
	}

	chain ISP_eth2 {
		counter packets 0 bytes 0 ct mark set 0xca
		counter packets 0 bytes 0 meta mark set 0xca
		counter packets 0 bytes 0 accept
	}

	chain ISP_eth2_IN {
		counter packets 0 bytes 0 ct mark set 0xca
	}

	chain WANLOADBALANCE_PRE_LIMIT_40 {
		ct state new counter packets 0 bytes 0 jump ISP_eth1
	}

	chain WANLOADBALANCE_OUT_LIMIT_40 {
		ct state new counter packets 0 bytes 0 jump ISP_eth1
	}
}

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@vyosbot vyosbot requested review from a team, dmbaturin, sarthurdev, zdc, jestabro and c-po and removed request for a team April 28, 2023 10:35
@sever-sever sever-sever marked this pull request as draft April 28, 2023 10:35
@sever-sever sever-sever mentioned this pull request Apr 28, 2023
Merged
@sever-sever sever-sever force-pushed the T5171 branch 7 times, most recently from 48c0913 to 96f6033 Compare May 2, 2023 09:32
@sever-sever sever-sever marked this pull request as ready for review May 2, 2023 09:39
@vyosbot vyosbot requested a review from a team May 2, 2023 09:39
@sever-sever
Copy link
Member Author

Loadbalancing test fixed

vyos@r14:~$ /usr/libexec/vyos/tests/smoke/cli/test_load_balancing_wan.py
test_check_chains (__main__.TestLoadBalancingWan.test_check_chains) ... ok
test_table_routes (__main__.TestLoadBalancingWan.test_table_routes) ... ok

----------------------------------------------------------------------
Ran 2 tests in 19.605s

OK
vyos@r14:~$

@sever-sever
T5171: Rewrite load-balancing wan to XML and python3
eac5dc2 
Use XML and python3 for 'load-balancing wan'
Use Jinja2 templates instead of old vyatta-wanloadbalance.pl to
generate configuration '/run/load-balance/wlb.conf' wich used by
/opt/vyatta/sbin/wan_lb
dmbaturin
dmbaturin approved these changes May 2, 2023
View reviewed changes
Copy link
Member

@dmbaturin dmbaturin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if it's worthwhile to also convert the daemon init script to a systemd unit. If load balancing in its current form is to stay in 1.4, it probably is, because it will give us automatic restarts of the daemon after crashes etc.

@c-po c-po merged commit ba81c15 into vyos:current May 4, 2023
@c-po
Copy link
Member

c-po commented May 4, 2023

I wonder if it's worthwhile to also convert the daemon init script to a systemd unit. If load balancing in its current form is to stay in 1.4, it probably is, because it will give us automatic restarts of the daemon after crashes etc.

Good idea for an upcoming PR

@sever-sever sever-sever deleted the T5171 branch May 10, 2023 08:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin dmbaturin approved these changes

@c-po c-po c-po approved these changes

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev was automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc was automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro was automatically assigned from vyos/reviewers

Assignees

@sever-sever sever-sever

Labels
None yet
Milestone
No milestone
3 participants
@sever-sever @c-po @dmbaturin