HAProxy ALOHA Documentation 13.5

Flows

Use the Flows tab to configure flows.

A flow defines iptables chains for incoming packets. The flow can specify, for any given combination of interface, protocol, IP address, and port whether packets should be allowed, dropped, directed to an LVS director, or routed according to a routing table.

The ability to filter on ranges of IP addresses and ports is particularly powerful when the flow directs the matching traffic to an LVS load balancer (see LB Layer4 tab). This is because an LVS load balancer by itself can accept traffic only from a single IP address and port.

Configuration file syntax

The flowmgr configuration file consists of a list of flow sections. Flows are evaluated sequentially.

flow <name> <policy>
   <rule>  [ [ not ] iface <name> ]
           [ [ not ] proto { tcp | udp | icmp } ]
           [ [ not ] src <ip>[/<mask>] ]
           [ [ not ] dst <ip>[/<mask>] ]
           [ [ not ] srcport <port>[:<port>] ]
           [ [ not ] dstport <port>[:<port>] ]
           [ [ not ] icmptype <icmptype> ] ]
   [<rule>]...

Term

Description

name

Unique identifier for this flow. Allowed characters are alphanumerics, hyphen (-), and underscore (_). Maximum length is 27 characters.

policy

Action to be applied to the flow. One of:

Policy

Description

permit

Matching packets are allowed.

deny

Matching packets are dropped.

director <director_name>

Matching packets are routed using the specified LVS director. Directors are defined in the LB Layer4 tab.

skip

The flow is skipped and the next flow is evaluated. This policy is useful for temporarily disabling a flow. This policy is the default action if no other policy is specified.

table <id>

Matching packets are routed using the specified routing table. Routing tables are defined in network setup under the Services tab.

rule

The match and ignore rules are evaluated sequentially.

Rule

Description

match

If a packet matches the specified conditions, the defined flow policy is immediately applied. Otherwise, the next ignore or match rules of the current flow are evaluated. If there are no more rules, the packet is considered not part of the current flow and the next flow is evaluated.

ignore

If a packet matches the specified conditions, the packet is considered not part of the current flow and the next flow is evaluated. Otherwise, the next ignore or match rules of the current flow are evaluated.

conditions

If no conditions are specified, all packets are considered a match. To negate the match, use the keyword not. Use the following terms to specify match conditions.

Condition

Description

proto

IP protocol: tcp, udp or icmp.

iface

Input network interface.

src

Packet IP source address, or network mask.

dst

Packet IP destination address, or network mask.

srcport

Packet port source, or port range. Only available on udp and tcp protocol.

dstport

Packet port destination, or port range. Only available on udp and tcp protocol.

icmptype

Packet icmp type code. Only available on icmp protocol.

Display flows rules

The flowmgr service converts flows into iptables chains. To display iptables rules, use this command:

$ iptables -L -t mangle

Flow manager invocation options

Invocation options for the flowmgr service are configured on the Services tab.

Examples

In this section, we demonstrate examples that use the Flow manager.

Match by IP address and port

In flow ssh:

  • Any packet not originating on the 192.168.0.0/24 network is not permitted by this flow but is passed through to the next flow for processing.

  • Any packet that originates on the 192.168.0.0/24 network is permitted if it is TCP protocol and targeted for IP/port 192.168.0.1:22. If the packet does not match these conditions, it is passed through to the next flow for processing.

    flow ssh permit
       ignore not src 192.168.0.0/24
       match proto tcp dst 192.168.0.1 dstport 22

Match UDP packets

In flow dns:

  • Any UDP packet targeted for IP/port 192.168.0.1:53 is permitted. If the packet does not match these conditions, it is passed through to the next flow for processing.

    flow dns permit
       match proto udp dst 192.168.0.1 dstport 53

Match ICMP messages

In flow ping:

  • Any ICMP packet targeted for IP 192.168.0.1 with an icmptype value of 0 is permitted. If the packet does not match these conditions, it is passed to the next rule for processing.

  • Any packet not originating on the 192.168.0.0/24 network is not permitted by this flow but is passed through to the next flow for processing. If the packet does originate on the 192.168.0.0/24 network, it is passed to the next rule for processing.

  • Any ICMP packet targeted for IP 192.168.0.1 is permitted. If the packet does not match these conditions, it is passed through to the next flow for processing.

    flow ping permit
       match proto icmp dst 192.168.0.1 icmptype 0
       ignore not src 192.168.0.0/24
       match proto icmp dst 192.168.0.1

Route traffic to LVS

In flow mail:

  • Any TCP packet targeted for IP/port 192.168.0.2:110 is sent to LVS director maildirect. If the packet does not match these conditions, it is passed through to the next rule for processing.

  • Any TCP packet targeted for IP/port 192.168.0.2:143 is sent to LVS director maildirect. If the packet does not match these conditions, it is passed through to the next rule for processing.

  • Any TCP packet targeted for IP/port 192.168.0.2:25 is sent to LVS director maildirect. If the packet does not match these conditions, it is passed through to the next flow for processing.

    flow mail director maildirect
       match proto tcp dst 192.168.0.2 dstport 110
       match proto tcp dst 192.168.0.2 dstport 143
       match proto tcp dst 192.168.0.2 dstport 25

Block unpermitted traffic

In flow alltherest:

  • All packets are blocked. This flow is useful for placing at the end of the flowmgr configuration to block all traffic not explicitly permitted in preceding flows.

    flow alltherest deny
       match

Next up

NAT mode