Date: Sat, 30 Jan 2021 01:45:39 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Kajetan Staszkiewicz <vegeta@tuxpowered.net>, freebsd-net@FreeBSD.org Subject: Re: How to not send traffic to TCP/IP stack Message-ID: <14fc5e0a-7d36-e040-f87c-48cf54490b7b@grosbein.net> In-Reply-To: <dd623e74-d7b0-79ed-7bc2-646ead7eea03@tuxpowered.net> References: <dd623e74-d7b0-79ed-7bc2-646ead7eea03@tuxpowered.net>
next in thread | previous in thread | raw e-mail | index | archive | help
29.01.2021 22:15, Kajetan Staszkiewicz wrote: > So far so good. But what if a LB wants to access the service? > > SYN: > 1. LB sends out a packet through public interface becuase that's where > the default gateway points. > 2. Core router sends the packet to one of LBs, in this case the same one > who originated the packet. > 3. It arrives at the public interface of LB where it is matched against > a route-to pf rule. A public-side pf state is created, a tag is assigned. > 4. pf's rout-to routes it to a LB Node / target. > 5. Leaves the LB over internal interface, matches the tag, another state > is created. > > ACK: > 1. From LB Node > 2. Hits internal interface of LB, the state is already there. > 3. Normal routing decision of LB decides to send the packet to IP stack. > 4. The packet never hits the pf state on the public side of LB. > 5. The public side pf state never sees ACK from the LB Node, the state > times out very fast. > > My goal is to have loadbalanced connections to *always* behave like they > come from the Internet, that is to leave the LB and bounce off the core > router. I'm not a pf user, so I wonder: why do you need to create any firewall state for such traffic at all? Can't you route such packets in stateless mode? I don't see any value in pf states for such packets.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14fc5e0a-7d36-e040-f87c-48cf54490b7b>