HAProxy Enterprise Documentation 13.0

Overview

In the ALOHA, PacketShield is the tool responsible to protect against floods and low layer attacks.

PacketShield is developed as a kernel module and its code is executed between the network driver and the kernel. This means that all rules configured in PacketShield will apply before any other rule in the ALOHA (IP ACLs, flow manager, L4 load balancing (LVS), HAProxy, etc.).

PacketShield is multicore and configured through the Linux Virtual filesystem sysfs /sys/.

Understanding PacketShield

PacketShield works like a stateful firewall able to process packets at wire speed. It is split into 2 components:

instance

an instance is associated to physical interfaces and owns contexts

context

rule set applied to destination IPs (and potentially VLAN tag)

The diagram below shows how an incoming packet is treated when it reaches in an ALOHA where PacketShield is in action:

             <------- packetshield ------->
physical interface ===> instance ========> context ====> system
             (1)              (2)             (3)
  1. The packet comes in through a physical network interface. It crosses the interface itself and the driver delivers it to the PacketShield instance associated to this interface.

  2. Based on the destination IP address or destination IP + VLAN tag, a context and associated rules are applied.

  3. If the packet successfully passes all the protection rules, it is delivered to the system (ALOHA's kernel).

Packet processing in PacketShield

When processing packets, PacketShield applies different types of rules, in the following order:

  1. Dropping invalid packets (enabled by default, not configurable)

  2. Blacklisting per source IP

  3. Whitelisting per:

    • source IP

    • protocol

    • destination TCP port

    • destination UDP port

  4. Destination TCP port protection (based on known sessions, TTLs, syn cookies, etc.).

Note

The first rule that matches the packet stops the processing.


Next up

Setup