May 26, 2018

L4 health check daemon for IPFILTER

The idea is that IPFilter in its current state can already do a simple L4 round-robin in its NAT rules. However, it does not detect or sense when a service and/or host is down. It will continue to send requests to a downed service/host.

However, IPFilter lets us add and remove rules on-the-fly so it should be possible to build a daemon that lets you specify “clusters”. In each cluster you would specify its members/hosts and services. As well as a health-check for the service to determine its current state.

Once a service was deemed “up” we would add a Round-Robin rule to the NAT table, and naturally, the reverse once we detect a service as being “down”.

In addition to this, this program can optionally add ipf rules to log for RST reset packets coming from the members of your clusters. In the situations where the software/port goes down, but the host itself is still working, we would detect failure instantly. Since the forwarded connections to the service would trigger a RST packet back. If this option is enabled, l4ip spawns the “ipmon” command to monitor for the “log” entries given when such a packet is detected. l4ip will then mark the service down. This is an add-on feature and is strictly not necessary for functional usage. It is currently only supported for TCP.

WWW http//