-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Loxilb SYNProxy support? #670
Labels
enhancement
New feature or request
Comments
It might not be too difficult to implement. Will keep you posted about the progress on this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
For standalone layer 4 balancer, SYNPROXY seems to be common feature to stop TCP SYN/ACK/RST DDoS attack before load balancer doing real load balance. if loxilb data path has internal SYNPROXY implementation, it would be appealing to loxilb users.
Describe the solution you'd like
To run loxilb in BPFire OS as standalone layer 4 load balancer. my original tcp client packet path is:
SYN -> XDP SYNPROXY -> loxilb TC LB
, but then I realized and tested that XDP SYNPROXY requires working with iptables SYNPROXY module and netfilter conntrack, but loxilb bypass netfilter and has its own internal conntrack implementation, they would not work together, so see alternative belowDescribe alternatives you've considered
in loxilb TC data path pipe line, could do:
I think the code in kernel tree test_tcp_custom_syncookie.c with some modification for loxilb might be workable code as above A SYNPROXY, the code does not involve netfilter or netfilter conntrack.
Additional context
I already ported in kernel tree XDP SYNPROXY code to BPFire OS and it works well with netfilter NAT port forward with high throughput BPFire XDP SYNPROXY under DPDK Pktgen 10Gbit SYN Flood Attack, since loxilb can not only replace the netfilter NAT function, but also do load balancing, with addition of SYNRPOXY in loxilb, it is even better.
The text was updated successfully, but these errors were encountered: