In HAProxy ALOHA, PacketShield is the tool responsible to protect against floods and low layer attacks.
PacketShield is developed as a kernel module and its code is executed between the network driver and the kernel. This means that all rules configured in PacketShield will apply before any other rule in the HAProxy ALOHA (IP ACLs, flow manager, L4 load balancing (LVS), HAProxy, etc.).
PacketShield is multicore and configured through the Linux Virtual filesystem sysfs /sys/.
PacketShield works like a stateful firewall able to process packets at wire speed. It is split into 2 components:
an instance is associated to physical interfaces and owns contexts
rule set applied to destination IPs (and potentially VLAN tag)
The diagram below shows how an incoming packet is treated when it reaches in an HAProxy ALOHA where PacketShield is in action:
<------- packetshield -------> physical interface ===> instance ========> context ====> system (1) (2) (3)
The packet comes in through a physical network interface. It crosses the interface itself and the driver delivers it to the PacketShield instance associated to this interface.
Based on the destination IP address or destination IP + VLAN tag, a context and associated rules are applied.
If the packet successfully passes all the protection rules, it is delivered to the system (the HAProxy ALOHA kernel).
Packet processing in PacketShield
When processing packets, PacketShield applies different types of rules, in the following order:
Dropping invalid packets (enabled by default, not configurable)
Blacklisting per source IP
destination TCP port
destination UDP port
Destination TCP port protection (based on known sessions, TTLs, syn cookies, etc.).