Date: Mon, 1 Feb 2021 13:26:28 +0100 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: Eugene Grosbein <eugen@grosbein.net>, freebsd-net@FreeBSD.org Subject: Re: How to not send traffic to TCP/IP stack Message-ID: <2abf8b29-41c3-6a98-fde6-24b33fe3ccfd@tuxpowered.net> In-Reply-To: <14fc5e0a-7d36-e040-f87c-48cf54490b7b@grosbein.net> References: <dd623e74-d7b0-79ed-7bc2-646ead7eea03@tuxpowered.net> <14fc5e0a-7d36-e040-f87c-48cf54490b7b@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --muG0wZl4cI4HMkA7p8Vc1edf4mhPwZ81x Content-Type: multipart/mixed; boundary="jl6Rptj1MYcPNx1Py4puuIRp8PelDXknu"; protected-headers="v1" From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: Eugene Grosbein <eugen@grosbein.net>, freebsd-net@FreeBSD.org Message-ID: <2abf8b29-41c3-6a98-fde6-24b33fe3ccfd@tuxpowered.net> Subject: Re: How to not send traffic to TCP/IP stack References: <dd623e74-d7b0-79ed-7bc2-646ead7eea03@tuxpowered.net> <14fc5e0a-7d36-e040-f87c-48cf54490b7b@grosbein.net> In-Reply-To: <14fc5e0a-7d36-e040-f87c-48cf54490b7b@grosbein.net> --jl6Rptj1MYcPNx1Py4puuIRp8PelDXknu Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 29.01.21 19:45, Eugene Grosbein wrote: > 29.01.2021 22:15, Kajetan Staszkiewicz wrote: >=20 >> So far so good. But what if a LB wants to access the service? >> >> SYN: >> 1. LB sends out a packet through public interface becuase that's where= >> the default gateway points. >> 2. Core router sends the packet to one of LBs, in this case the same o= ne >> who originated the packet. >> 3. It arrives at the public interface of LB where it is matched again= st >> a route-to pf rule. A public-side pf state is created, a tag is assign= ed. >> 4. pf's rout-to routes it to a LB Node / target. >> 5. Leaves the LB over internal interface, matches the tag, another sta= te >> is created. >> >> ACK: >> 1. From LB Node >> 2. Hits internal interface of LB, the state is already there. >> 3. Normal routing decision of LB decides to send the packet to IP stac= k. >> 4. The packet never hits the pf state on the public side of LB. >> 5. The public side pf state never sees ACK from the LB Node, the state= >> times out very fast. >> >> My goal is to have loadbalanced connections to *always* behave like th= ey >> come from the Internet, that is to leave the LB and bounce off the cor= e >> router. >=20 > I'm not a pf user, so I wonder: why do you need to create any firewall = state > for such traffic at all? Can't you route such packets in stateless mode= ? > I don't see any value in pf states for such packets. Which ones? There is a total of 3 pf states created here, 2 on public side (outgoing, incoming-LB), 1 on internal (post-LB). That would still not allow me to avoid sending packets to the IP stack, would it? The only way I've found to force outgoing interface while skipping routing is via "reply-to" target of pf, but that requires static gateway in pf rules, which is not an option for me because gateway is installed from BGP. --=20 | pozdrawiam / greetings | Powered by macOS, Debian and FreeBSD | | Kajetan Staszkiewicz | www: http://vegeta.tuxpowered.net | `------------------------^--------------------------------------' --jl6Rptj1MYcPNx1Py4puuIRp8PelDXknu-- --muG0wZl4cI4HMkA7p8Vc1edf4mhPwZ81x Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wmMEABEIACMWIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCYBfzdAUDAAAAAAAKCRDjtFCvbXs6FDwC AKCvlIy6lleWraAKqVn3PuzjPrCFpACg5FsOVOagi86Nm1PHLOLgktxjwEA= =36HQ -----END PGP SIGNATURE----- --muG0wZl4cI4HMkA7p8Vc1edf4mhPwZ81x--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2abf8b29-41c3-6a98-fde6-24b33fe3ccfd>