These two pages were the beginning of Load Balancing with nftables project, developed between Pablo Neira (Netfilter Core Team) and Laura García (Zen Load Balancer Team) and presented at the last Netdev 1.2 Conference in Tokyo along with its benchmarks where were proved that nftables from ingress reaches a performance almost 10 times faster than LVS.
We mainly have implemented two new expressions to the nft infrastructure in order to provide load balancing properties: nft_numgen, with 2 main operations incremental to perform round robin connections scheduling and random to create weighted scheduling, and nft_hash to provide persistence according to an input register.
Through the prerouting and postrouting hooks, we can implement source NAT and destination NAT topologies, meanwhile LVS only allows sNAT. Also, Direct Server Return topology could be performed via ingress, which is a very early stage of an incoming packet so the performance is much better. Here we display some benchmarks presented for IPv4 with HTTP flows:
As it’s shown in the graph above, NAT topologies between nftables and LVS have no much difference in performance, meanwhile DSR topology in nftables could perform almost 10x faster than LVS.
With IPv6 we got similar results to IPV4 but the number of HTTP requests per seconds has been improved in general for all cases. Load Balancing with nftables from ingress can reach more than 430 thousands of HTTP requests per seconds with less than 1% of CPU and almost 6x faster than LVS.
Following our Microsoft technical articles series, we've published how to load balance NTLM authentication based web applications dedicated to layer 4 but also layer 7 advanced options. Firstly, we explain…