Contents
Overview
nftlb relies on the netfilter/nftables linux networking stack. With this new stack it is provided new concepts and abilities that we need to fit in the current load balancing design.
This article aims to give an overview understanding on how the nftables load balancer data path and control path are designed.
Data Path Hooks
These are the Netfilter hooks that nftlb uses, taking advantage of the configurable chains. New concepts like connection tracking offload needs to be included in order to accelerate established forwarded connections to the backends.
------------
| DNSBL |
------------
|
queue
ingress | prerouting forward postrouting
------------ ------------- -------------- ------------ ------- -------------- -------
| filter | filter | filter | | filter | nat | | filter | | nat |
| 0 | 50-99 | 100 | | -150 | 0 | | 0 | | 100 |
--> | | | Sec Policies |-( Conntrack )-> | Sec Limits | |-( Routing )-> | | --> | |
| Clustering | Flow tables | DSR | VS{} | Helpers | dNAT | VS{} | Flow offload | | sNAT |
| | | stless dNAT | | Marks | | -------------- -------
------------ ------------- -------------- ------------ -------
ingress
(0) filter: Reserved for clustering management. Not yet included in nftlb.
(50-99) filter: Reserved for flow tables acceleration. Not yet included in nftlb.
(100) filter: Reserved, in order, for: Security Policies (blacklists and whitelists), Direct Server Return and Stateless dNAT topologies.
prerouting
(-150) filter: Reserved for Security Limits per virtual services or per backend like: maximum number of established connections, limit of TCP RST per second, limit of TCP SYN per second, drop of non strict TCP connections, queue to DNSBL service, virtual service and backends marks, use of helpers, logging of input connections per virtual service.
(0) nat: Reserved for destination NAT mangling.
forward
(0) filter: Reserved for flow offload. Not yet included in nftlb.
postrouting
(100) nat: Reserved for destination NAT mangling.
Control Path
The nftlb control path is designed as a daemon which provides a simple http server with an API, or standalone binary that accepts a configuration file in JSON format.
------------- traduction ------------- --------
JSON API | | objs to nft | | netlink | |
------------> | http server | --------------> | libnftables | --------> | kernel |
| | | | | | |
------------- | ------------- --------
| netlink |
---------------------------------------
