How to not send traffic to TCP/IP stack

Kajetan Staszkiewicz vegeta at tuxpowered.net
Mon Feb 1 12:26:33 UTC 2021 

On 29.01.21 19:45, Eugene Grosbein wrote:
> 29.01.2021 22:15, Kajetan Staszkiewicz wrote:
> 
>> So far so good. But what if a LB wants to access the service?
>>
>> SYN:
>> 1. LB sends out a packet through public interface becuase that's where
>> the default gateway points.
>> 2. Core router sends the packet to one of LBs, in this case the same one
>> who originated the packet.
>> 3. It arrives at the  public interface of LB where it is matched against
>> a route-to pf rule. A public-side pf state is created, a tag is assigned.
>> 4. pf's rout-to routes it to a LB Node / target.
>> 5. Leaves the LB over internal interface, matches the tag, another state
>> is created.
>>
>> ACK:
>> 1. From LB Node
>> 2. Hits internal interface of LB, the state is already there.
>> 3. Normal routing decision of LB decides to send the packet to IP stack.
>> 4. The packet never hits the pf state on the public side of LB.
>> 5. The public side pf state never sees ACK from the LB Node, the state
>> times out very fast.
>>
>> My goal is to have loadbalanced connections to *always* behave like they
>> come from the Internet, that is to leave the LB and bounce off the core
>> router.
> 
> I'm not a pf user, so I wonder: why do you need to create any firewall state
> for such traffic at all? Can't you route such packets in stateless mode?
> I don't see any value in pf states for such packets.

Which ones? There is a total of 3 pf states created here, 2 on public
side (outgoing, incoming-LB), 1 on internal (post-LB).

That would still not allow me to avoid sending packets to the IP stack,
would it? The only way I've found to force outgoing interface while
skipping routing is via "reply-to" target of pf, but that requires
static gateway in pf rules, which is not an option for me because
gateway is installed from BGP.

-- 
| pozdrawiam / greetings | Powered by macOS, Debian and FreeBSD |
|  Kajetan Staszkiewicz  |  www: http://vegeta.tuxpowered.net   |
`------------------------^--------------------------------------'

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20210201/32195d23/attachment.sig>

More information about the freebsd-net mailing list