How to not send traffic to TCP/IP stack
Kajetan Staszkiewicz
vegeta at tuxpowered.net
Fri Jan 29 15:15:52 UTC 2021
Hello group,
On Linux traffic is directed to the IP stack by "local" entries in route
table. By removing such entries, or rather not having them in the first
place in additional routing tables it is possible to forward *all*
traffic through a router, even if it is directed at router's own IP
addresses.
I have a situation where a FreeBSD pf-based Load Balancer must access a
service which is hosted on itsef.
For external clients this is trivial:
SYN goes:
1. From client
2. Over BGP-managed network to the LB. The LB advertises public the
public address over BGP to core routers.
3. It arrives at the public interface of LB where it is matched against
a route-to pf rule. A public-side pf state is created, a tag is assigned.
4. pf's rout-to routes it to a LB Node / target.
5. Leaves the LB over internal interface, matches the tag, another state
is created.
ACK:
1. From LB Node
2. Hits internal interface of LB, the state is already there.
3. Is routed to a default gateway learned from BGP.
4. Leaves via the public interface of LB, the state is already there.
So far so good. But what if a LB wants to access the service?
SYN:
1. LB sends out a packet through public interface becuase that's where
the default gateway points.
2. Core router sends the packet to one of LBs, in this case the same one
who originated the packet.
3. It arrives at the public interface of LB where it is matched against
a route-to pf rule. A public-side pf state is created, a tag is assigned.
4. pf's rout-to routes it to a LB Node / target.
5. Leaves the LB over internal interface, matches the tag, another state
is created.
ACK:
1. From LB Node
2. Hits internal interface of LB, the state is already there.
3. Normal routing decision of LB decides to send the packet to IP stack.
4. The packet never hits the pf state on the public side of LB.
5. The public side pf state never sees ACK from the LB Node, the state
times out very fast.
My goal is to have loadbalanced connections to *always* behave like they
come from the Internet, that is to leave the LB and bounce off the core
router.
--
| pozdrawiam / greetings | Powered by macOS, Debian and FreeBSD |
| Kajetan Staszkiewicz | www: http://vegeta.tuxpowered.net |
`------------------------^--------------------------------------'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20210129/4e01b166/attachment.sig>
More information about the freebsd-net
mailing list