Load balancing

Flows

On this page

Use the Flows tab to configure flows.

A flow defines iptables chains for incoming packets. The flow can specify, for any given combination of interface, protocol, IP address, and port whether packets should be allowed, dropped, directed to an LVS director, or routed according to a routing table.

The ability to filter on ranges of IP addresses and ports is particularly powerful when the flow directs the matching traffic to an LVS load balancer (see LB Layer4 tab). This is because an LVS load balancer by itself can accept traffic only from a single IP address and port.

Configuration file syntax Jump to heading

The flowmgr configuration file consists of a list of flow sections. Flows are evaluated sequentially.

text
flow <name> <policy>
  <rule>  [ [ not ] iface <name> ] 
          [ [ not ] proto { tcp | udp | icmp } ] 
          [ [ not ] src <ip>[/<mask>] ] 
          [ [ not ] dst <ip>[/<mask>] ] 
          [ [ not ] srcport <port>[:<port>] ] 
          [ [ not ] dstport <port>[:<port>] ] 
          [ [ not ] icmptype <icmptype> ] ] 
  [<rule>]...
text
flow <name> <policy>
  <rule>  [ [ not ] iface <name> ] 
          [ [ not ] proto { tcp | udp | icmp } ] 
          [ [ not ] src <ip>[/<mask>] ] 
          [ [ not ] dst <ip>[/<mask>] ] 
          [ [ not ] srcport <port>[:<port>] ] 
          [ [ not ] dstport <port>[:<port>] ] 
          [ [ not ] icmptype <icmptype> ] ] 
  [<rule>]...

The terms are as follows.

name Jump to heading

  • name

    Unique identifier for this flow. Allowed characters are alphanumerics, hyphen (-), and underscore (_). Maximum length is 27 characters.

policy Jump to heading

  • policy

    Action to be applied to the flow. One of:

    Policy Description
    permit Matching packets are allowed.
    deny Matching packets are dropped.
    director <director_name> Matching packets are routed using the specified LVS director. Directors are defined in the LB Layer4 tab.
    skip The flow is skipped and the next flow is evaluated. This policy is useful for temporarily disabling a flow. This policy is the default action if no other policy is specified.
    table <id> Matching packets are routed using the specified routing table. Routing tables are defined in network setup under the Services tab.

rule Jump to heading

  • rule

    The match and ignore rules are evaluated sequentially.

    Rule Description
    match If a packet matches the specified conditions, the defined flow policy is immediately applied. Otherwise, the next ignore or match rules of the current flow are evaluated. If there are no more rules, the packet is considered not part of the current flow and the next flow is evaluated.
    ignore If a packet matches the specified conditions, the packet is considered not part of the current flow and the next flow is evaluated. Otherwise, the next ignore or match rules of the current flow are evaluated.

conditions Jump to heading

  • conditions

    If no conditions are specified, all packets are considered a match. To negate the match, use the keyword not. Use the following terms to specify match conditions.

    Condition Description
    proto IP protocol: tcp, udp or icmp.
    iface Input network interface.
    src Packet IP source address, or network mask.
    dst Packet IP destination address, or network mask.
    srcport Packet port source, or port range. Only available on udp and tcp protocol.
    dstport Packet port destination, or port range. Only available on udp and tcp protocol.
    icmptype Packet icmp type code. Only available on icmp protocol.

Important

To save a new flow or changes to an existing flow, save the HAProxy ALOHA configuration. Click on the Setup tab. In the Configuration section, click Save.

Display flow rules Jump to heading

The flowmgr service converts flows into iptables chains. To display iptables rules, use this command:

nix
iptables -L -t mangle
nix
iptables -L -t mangle

Flow manager invocation options Jump to heading

Invocation options for the flowmgr service are configured on the Services tab.

Examples Jump to heading

In this section, we demonstrate examples that use the Flow manager.

Match by IP address and port Jump to heading

In flow ssh:

  • Any packet not originating on the 192.168.0.0/24 network is not permitted by this flow but is passed through to the next flow for processing.

  • Any packet that originates on the 192.168.0.0/24 network is permitted if it is TCP protocol and targeted for IP/port 192.168.0.1:22. If the packet does not match these conditions, it is passed through to the next flow for processing.

    haproxy
    flow ssh permit 
      ignore not src 192.168.0.0/24
      match proto tcp dst 192.168.0.1 dstport 22
    haproxy
    flow ssh permit 
      ignore not src 192.168.0.0/24
      match proto tcp dst 192.168.0.1 dstport 22

Match UDP packets Jump to heading

In flow dns:

  • Any UDP packet targeted for IP/port 192.168.0.1:53 is permitted. If the packet does not match these conditions, it is passed through to the next flow for processing.

    haproxy
    flow dns permit
      match proto udp dst 192.168.0.1 dstport 53 
    haproxy
    flow dns permit
      match proto udp dst 192.168.0.1 dstport 53

Match ICMP messages Jump to heading

In flow ping:

  • Any ICMP packet targeted for IP 192.168.0.1 with an icmptype value of 0 is permitted. If the packet does not match these conditions, it is passed to the next rule for processing.

  • Any packet not originating on the 192.168.0.0/24 network is not permitted by this flow but is passed through to the next flow for processing. If the packet does originate on the 192.168.0.0/24 network, it is passed to the next rule for processing.

  • Any ICMP packet targeted for IP 192.168.0.1 is permitted. If the packet does not match these conditions, it is passed through to the next flow for processing.

    haproxy
    flow ping permit
      match proto icmp dst 192.168.0.1 icmptype 0 
      ignore not src 192.168.0.0/24
      match proto icmp dst 192.168.0.1
    haproxy
    flow ping permit
      match proto icmp dst 192.168.0.1 icmptype 0 
      ignore not src 192.168.0.0/24
      match proto icmp dst 192.168.0.1

Route traffic to LVS Jump to heading

In flow mail:

  • Any TCP packet targeted for IP/port 192.168.0.2:110 is sent to LVS director maildirect. If the packet does not match these conditions, it is passed through to the next rule for processing.

  • Any TCP packet targeted for IP/port 192.168.0.2:143 is sent to LVS director maildirect. If the packet does not match these conditions, it is passed through to the next rule for processing.

  • Any TCP packet targeted for IP/port 192.168.0.2:25 is sent to LVS director maildirect. If the packet does not match these conditions, it is passed through to the next flow for processing.

    haproxy
    flow mail director maildirect
      match proto tcp dst 192.168.0.2 dstport 110 
      match proto tcp dst 192.168.0.2 dstport 143 
      match proto tcp dst 192.168.0.2 dstport 25 
    haproxy
    flow mail director maildirect
      match proto tcp dst 192.168.0.2 dstport 110 
      match proto tcp dst 192.168.0.2 dstport 143 
      match proto tcp dst 192.168.0.2 dstport 25

Block unpermitted traffic Jump to heading

In flow alltherest:

  • All packets are blocked. This flow is useful for placing at the end of the flowmgr configuration to block all traffic not explicitly permitted in preceding flows.

    haproxy
    flow alltherest deny
      match
    haproxy
    flow alltherest deny
      match

Do you have any suggestions on how we can improve the content of this page?

Previous page Geolocation with MaxMind Next page GSLB
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences