HAProxy ALOHA Documentation 15.5

Overview

In HAProxy ALOHA, PacketShield protects against packet floods and protocol-level attacks.

PacketShield is provided as a kernel module. Its code is executed between the network driver and the kernel. This means that all rules configured in PacketShield apply before any other rule in HAProxy ALOHA (IP ACLs, flow manager, L4 load balancing (LVS), HAProxy, and so on).

PacketShield is multicore and configured through the Linux Virtual sysfs filesystem /sys/.

Understanding PacketShield

PacketShield works like a stateful firewall able to process packets at wire speed. It is split into these components:

instance

An instance is associated with physical interfaces. Instances possess contexts.

context

Rule set applied to destination IPs (and potentially VLAN tag).

The diagram below shows how an incoming packet is treated when it reaches an HAProxy ALOHA where PacketShield is active:

             <------- packetshield ------->
physical interface ===> instance ========> context ====> system
             (1)              (2)             (3)
  1. The packet comes in through a physical network interface. It crosses the interface itself and the driver delivers it to the PacketShield instance associated with this interface.

  2. Based on the destination IP address or destination IP + VLAN tag, a context and associated rules are applied.

  3. If the packet successfully passes all the protection rules, it is delivered to the system (the HAProxy ALOHA kernel).

Packet processing in PacketShield

When processing packets, PacketShield applies different types of rules, in the following order:

  1. Dropping invalid packets (enabled by default, not configurable)

  2. Denylisting per source IP

  3. Allowlisting per:

    • source IP

    • protocol

    • destination TCP port

    • destination UDP port

  4. Destination TCP port protection (based on known sessions, TTLs, SYN cookies, and so on).


Next up

Setup