How to not send traffic to TCP/IP stack
Eugene Grosbein
eugen at grosbein.net
Fri Jan 29 18:46:10 UTC 2021
29.01.2021 22:15, Kajetan Staszkiewicz wrote:
> So far so good. But what if a LB wants to access the service?
>
> SYN:
> 1. LB sends out a packet through public interface becuase that's where
> the default gateway points.
> 2. Core router sends the packet to one of LBs, in this case the same one
> who originated the packet.
> 3. It arrives at the public interface of LB where it is matched against
> a route-to pf rule. A public-side pf state is created, a tag is assigned.
> 4. pf's rout-to routes it to a LB Node / target.
> 5. Leaves the LB over internal interface, matches the tag, another state
> is created.
>
> ACK:
> 1. From LB Node
> 2. Hits internal interface of LB, the state is already there.
> 3. Normal routing decision of LB decides to send the packet to IP stack.
> 4. The packet never hits the pf state on the public side of LB.
> 5. The public side pf state never sees ACK from the LB Node, the state
> times out very fast.
>
> My goal is to have loadbalanced connections to *always* behave like they
> come from the Internet, that is to leave the LB and bounce off the core
> router.
I'm not a pf user, so I wonder: why do you need to create any firewall state
for such traffic at all? Can't you route such packets in stateless mode?
I don't see any value in pf states for such packets.
More information about the freebsd-net
mailing list