16.9 Configuring Keepalived for Session Persistence and Firewall Marks

Many web-based application require that a user session is persistently served by the same web server.

If you enable the load balancer in Keepalived to use persistence, a client connects to the same server provided that the timeout period (persistence_timeout) has not been exceeded since the previous connection.

Firewall marks are another method for controlling session access so that Keepalived forwards a client's connections on different ports, such as HTTP (80) and HTTPS (443), to the same server, for example:

# iptables -t mangle -A PREROUTING -d virtual_IP_addr/32 -p tcp \
  -m multiport --dports 80,443 -j MARK --set-mark 123
# service iptables save

These commands set a firewall mark value of 123 on packets that are destined for ports 80 or 443 at the specified virtual IP address.

You must also declare the firewall mark (fwmark) value to Keepalived by setting it on the virtual server instead of a destination virtual IP address and port, for example:

virtual_server fwmark 123 {
   ...
}

This configuration causes Keepalived to route the packets based on their firewall mark value rather than the destination virtual IP address and port. When used in conjunction with session persistence, firewall marks help ensure that all ports used by a client session are handled by the same server.