HAProxy ALOHA Documentation 10.0

Contexts

With PacketShield, context is identified by the destination of an incoming packet.

For each incoming packet, a lookup on available contexts in the instance is performed:

  • If a context is found (by matching the packet's destination IP and an optional VLAN tag), then the rules of the context will be applied to this packet.

  • If the packet does not match any context, then the default context Other applies.

Creating an instance automatically creates the default context named Other which contains the policy used for packets which do not match any other created context.

PacketShield currently supports the following context identifiers:

  • IPv4 address

  • IPV4 suffixed by the character @ and a VLAN id

Use sysfr entry

You manage a context using the sysfs entry:

/sys/packetshield/<instance name>/contexts.

Create a context

The create operation also creates a new sysfs directory using the context identifier as name in:

/sys/packetshield/<instance name>/<context id>.

A newly created context does not inherit the configuration from the default Other context.

sysfs

Write the context identifier, prefixed by the char + in the sysfs entry.

Create a context for the IP address 1.2.3.5:

$ echo "+10.2.3.5" > /sys/packetshield/myinst/contexts

Create a context for the IP address 1.2.3.5 in the tagged VLAN 100:

$ echo "+10.2.3.5@100" > /sys/packetshield/myinst/contexts

GUI

Use the statement <instance name>/contexts followed by the context identifier.

Create a context for the IP address 1.2.3.5:

myinst/contexts 10.2.3.5

Create a context for the IP address 1.2.3.5 in the tagged vlan 100:

myinst/contexts 10.2.3.5@100

Destroy a context

This operation also deletes the sysfs directory /sys/packetshield/<instance name>/<context id>.

sysfs

Write the context identifier, prefixed by the char - in the sysfs entry.

Destroy the context for the IP address 1.2.3.5:

$ echo "-10.2.3.5" > /sys/packetshield/myinst/contexts

Destroy the context for the IP address 1.2.3.5 in the tagged VLAN 100:

$ echo "-10.2.3.5@100" > /sys/packetshield/myinst/contexts

GUI

Remove the statement <instance name>/contexts <context id> that matches the context you want to remove.

List contexts

This function is only available through the CLI.

To list existing contexts, open the contents of the sysfs entry /sys/packetshield/<instance name>/contexts.

One context identifier is displayed per line.

Although not listed, the context Other exists.

$ cat /sys/packetshield/myinst/contexts
10.2.3.5
10.2.3.5@100

Set options for context

sysfs

Display and set context options using respectively read and write operations on sysfs entries available in the directory /sys/packetshield/<instance name>/<context id>/<option>

GUI

Set context options using the following statement

<instance name>/<context id>/<option>

The GUI can only set the option.

Available options:

drop_empty_ack

default: 0, means no drop

  • Ratio of empty outgoing ACKs to drop.

  • The purpose of this setting is to prevent ACK storms.

sysfs example

$ echo 100 > /sys/packetshield/myinst/Other/drop_empty_ack

GUI example

myinst/Other/drop_empty_ack 100

gateway

default: ff:ff:ff:ff:ff:ff

  • Destination MAC address for outgoing traffic.

  • By default, PacketShield uses the source MAC address from incoming packets as destination when generating syncookies.

  • Setting this value to a valid MAC address allows PacketShield to use an alternative gateway to send generated syncookies.

sysfs example

$ echo '01:0c:23:fe:ab:10' > /sys/packetshield/myinst/Other/gateway

GUI example

myinst/Other/gateway 01:0c:23:fe:ab:10

new_cookie_threshold

default: 0-0 means disabled

  • Defines new-connections rate thresholds (per seconds) to enable / disable syncookie protection.

  • The purpose of this protection mode is to block SYN floods.

  • Applies to ports listed in protected TCP ports

sysfs example

To start sending syn cookies when the incoming rate is above 10000 SYN/s and disable sending when the rate goes below 5000:

$ echo '10000-5000' > /sys/packetshield/myinst/Other/new_cookie_threshold

GUI example

To start sending syn cookies when the incoming rate is above 10000 SYN/s and disable sending when the rate goes below 5000:

myinst/Other/new_cookie_threshold 10000-5000

unmatch_drop_threshold

default: 0-0 means protection is disabled

  • Defines unmatched-packets rate (per seconds) thresholds to enable / disable unmatched RST/ACK drop.

  • The purpose of this protection mode is to block RST or ACK floods (RSTs or ACKs whose don't match any known session).

  • Applies to ports listed in protected TCP ports

sysfs example

To start blocking unmatched packets when the incoming rate is above 10000/s and disable blocking when the rate goes below 5000:

$ echo '10000-5000' > /sys/packetshield/myinst/Other/unmatch_drop_threshold

GUI example

To start blocking unmatched packets when the incoming rate is above 10000/s and disable blocking when the rate goes below 5000:

myinst/Other/unmatch_drop_threshold 10000-5000

unknown_ttlfilter_threshold

default: 0-0 means protection is disabled

  • Defines unknown TTL packets rate (per seconds) thresholds to enable or disable filtering based on TTL

  • Applies to ports listed in protected TCP ports

sysfs example

To start blocking packets with unknown TTL when the incoming rate is above 10000/s and disable blocking when the rate goes below 5000:

$ echo '10000-5000' > /sys/packetshield/myinst/Other/unknown_ttlfilter_threshold

GUI example

To start blocking packets with unknown TTL when the incoming rate is above 10000/s and disable blocking when the rate goes below 5000:

myinst/Other/unknown_ttlfilter_threshold 10000-5000

deliver_block_threshold

default: 0-0 means protection is disabled

  • Defines delivered packets rate (per seconds) thresholds to enable or disable surge protection (those packets dropped instead of being filtered).

  • This filter affects each packet regardless of the status of the protected port

sysfs example

To enable surge protection when outgoing rate is above 10000 packets/s and disable protection when the rate goes below 5000:

$ echo '10000-5000' > /sys/packetshield/myinst/Other/deliver_block_threshold

GUI example

To enable surge protection when outgoing rate is above 10000 packets/s and disable protection when the rate goes below 5000:

myinst/Other/deliver_block_threshold 10000-5000

context_capture

default: 0 means disabled

  • Defines whether incoming packets on current context are captured.

  • To enable packet capture, set this value to 1.

sysfs example

$ echo 1 > /sys/packetshield/myinst/Other/context_capture

GUI example

myinst/Other/context_capture 1

Next up

Instances