Date: Fri, 29 Jan 2021 16:15:47 +0100 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-net@FreeBSD.org Subject: How to not send traffic to TCP/IP stack Message-ID: <dd623e74-d7b0-79ed-7bc2-646ead7eea03@tuxpowered.net>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --V1LVOj24wjUf6pEwspqkx46QZvp58I6wL Content-Type: multipart/mixed; boundary="fXZtMwzNkk58NaTHGcEsci053Y4Wi6UhF"; protected-headers="v1" From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-net@FreeBSD.org Message-ID: <dd623e74-d7b0-79ed-7bc2-646ead7eea03@tuxpowered.net> Subject: How to not send traffic to TCP/IP stack --fXZtMwzNkk58NaTHGcEsci053Y4Wi6UhF Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable Hello group, On Linux traffic is directed to the IP stack by "local" entries in route table. By removing such entries, or rather not having them in the first place in additional routing tables it is possible to forward *all* traffic through a router, even if it is directed at router's own IP addresses. I have a situation where a FreeBSD pf-based Load Balancer must access a service which is hosted on itsef. For external clients this is trivial: SYN goes: 1. From client 2. Over BGP-managed network to the LB. The LB advertises public the public address over BGP to core routers. 3. It arrives at the public interface of LB where it is matched against a route-to pf rule. A public-side pf state is created, a tag is assigned.= 4. pf's rout-to routes it to a LB Node / target. 5. Leaves the LB over internal interface, matches the tag, another state is created. ACK: 1. From LB Node 2. Hits internal interface of LB, the state is already there. 3. Is routed to a default gateway learned from BGP. 4. Leaves via the public interface of LB, the state is already there. So far so good. But what if a LB wants to access the service? SYN: 1. LB sends out a packet through public interface becuase that's where the default gateway points. 2. Core router sends the packet to one of LBs, in this case the same one who originated the packet. 3. It arrives at the public interface of LB where it is matched against a route-to pf rule. A public-side pf state is created, a tag is assigned.= 4. pf's rout-to routes it to a LB Node / target. 5. Leaves the LB over internal interface, matches the tag, another state is created. ACK: 1. From LB Node 2. Hits internal interface of LB, the state is already there. 3. Normal routing decision of LB decides to send the packet to IP stack. 4. The packet never hits the pf state on the public side of LB. 5. The public side pf state never sees ACK from the LB Node, the state times out very fast. My goal is to have loadbalanced connections to *always* behave like they come from the Internet, that is to leave the LB and bounce off the core router. --=20 | pozdrawiam / greetings | Powered by macOS, Debian and FreeBSD | | Kajetan Staszkiewicz | www: http://vegeta.tuxpowered.net | `------------------------^--------------------------------------' --fXZtMwzNkk58NaTHGcEsci053Y4Wi6UhF-- --V1LVOj24wjUf6pEwspqkx46QZvp58I6wL Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wmMEABEIACMWIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCYBQmowUDAAAAAAAKCRDjtFCvbXs6FO75 AJ9Tcgxjgl1MVjBNNPV68kFr0hi2+gCdH8y9S4NxXcjrsZ4rzV7ldmMPxbQ= =FfAr -----END PGP SIGNATURE----- --V1LVOj24wjUf6pEwspqkx46QZvp58I6wL--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dd623e74-d7b0-79ed-7bc2-646ead7eea03>