Hello!
On Sun, Oct 5, 2014 at 9:23 AM, vincent.mc.li wrote:
> it is common problem when system under connection load and there is only one
> source ip and ~2^16 port limitation
> for server side connection in F5 BIGIP too, so there is feature in BIGIP to
> have pool of source ips to use
> for server side connection and each source ip get ~2^16 port, that is a way
> to mitigate the port exhaustion issue
>
Yes.
> reason I mention above here is I am wondering if nginx could have similar
> feature to use pool of source ips for upstream
> connection, I looked there is a proxy_bind
> http://wiki.nginx.org/HttpProxyModule#proxy_bind, but that can only bind to
> one source ip
> is it possible to extend it to bind to more than one source ip? or develop a
> upstream directive "source_ip" like upstream directive "server" to have pool
> of "source_ip" for
> upstream connections?
>
Yes, we could implement a bind() method for cosockets but there's a
caveat at least for Linux systems (not sure about other OSes,
comments?): the bind() and connect() call sequence will not give us
more ephemeral ports when only binding to multiple local IP addresses
(that is, without specifying a local port number to bind to at the
same time). See the following post for details:
http://aleccolocco.blogspot.com/2008/11/ephemeral-ports-problem-and-solution.html
So for such (broken) systems which do not assign ephemeral ports
automatically when an "incomplete" bind() is used before connect(), we
need to do the port bookkeeping ourselves on the userland. Alas.
Though the Lua programmer can implement this on the Lua land, it can
be tricky for the user Lua code to actually know when an upstream
(cosocket) connection is closed and its port can get reused. So it's
better to be implemented in the cosocket facility itself.
> I am newbie to nginx, but I could help developing this feature if it is not
> too complicate and with some expert guidance
>
The bind() method implementation itself should be easy. Just steal
proxy_bind's stuff. But to really solve the ephemeral port range
problem with bind() everywhere (including Linux), we definitely need
more work to do :) And yeah, patches welcome, as always :)
Best regards,
-agentzh