Load balancing
Flows
Use the Flows tab to configure flows.
A flow defines iptables
chains for incoming packets. The flow can specify, for any given combination of interface, protocol, IP address, and port whether packets should be allowed, dropped, directed to an LVS director, or routed according to a routing table.
The ability to filter on ranges of IP addresses and ports is particularly powerful when the flow directs the matching traffic to an LVS load balancer (see LB Layer4 tab). This is because an LVS load balancer by itself can accept traffic only from a single IP address and port.
Configuration file syntax Jump to heading
The flowmgr configuration file consists of a list of flow sections. Flows are evaluated sequentially.
text
flow <name> <policy><rule> [ [ not ] iface <name> ][ [ not ] proto { tcp | udp | icmp } ][ [ not ] src <ip>[/<mask>] ][ [ not ] dst <ip>[/<mask>] ][ [ not ] srcport <port>[:<port>] ][ [ not ] dstport <port>[:<port>] ][ [ not ] icmptype <icmptype> ] ][<rule>]...
text
flow <name> <policy><rule> [ [ not ] iface <name> ][ [ not ] proto { tcp | udp | icmp } ][ [ not ] src <ip>[/<mask>] ][ [ not ] dst <ip>[/<mask>] ][ [ not ] srcport <port>[:<port>] ][ [ not ] dstport <port>[:<port>] ][ [ not ] icmptype <icmptype> ] ][<rule>]...
The terms are as follows.
name Jump to heading
-
name
Unique identifier for this flow. Allowed characters are alphanumerics, hyphen (
-
), and underscore (_
). Maximum length is 27 characters.
policy Jump to heading
-
policy
Action to be applied to the flow. One of:
Policy Description permit
Matching packets are allowed. deny
Matching packets are dropped. director <director_name>
Matching packets are routed using the specified LVS director. Directors are defined in the LB Layer4 tab. skip
The flow is skipped and the next flow is evaluated. This policy is useful for temporarily disabling a flow. This policy is the default action if no other policy is specified. table <id>
Matching packets are routed using the specified routing table. Routing tables are defined in network
setup under the Services tab.
rule Jump to heading
-
rule
The
match
andignore
rules are evaluated sequentially.Rule Description match
If a packet matches the specified conditions, the defined flow policy is immediately applied. Otherwise, the next ignore
ormatch
rules of the current flow are evaluated. If there are no more rules, the packet is considered not part of the current flow and the next flow is evaluated.ignore
If a packet matches the specified conditions, the packet is considered not part of the current flow and the next flow is evaluated. Otherwise, the next ignore
ormatch
rules of the current flow are evaluated.
conditions Jump to heading
-
conditions
If no conditions are specified, all packets are considered a match. To negate the match, use the keyword
not
. Use the following terms to specify match conditions.Condition Description proto
IP protocol: tcp
,udp
oricmp
.iface
Input network interface. src
Packet IP source address, or network mask. dst
Packet IP destination address, or network mask. srcport
Packet port source, or port range. Only available on udp
andtcp
protocol.dstport
Packet port destination, or port range. Only available on udp
andtcp
protocol.icmptype
Packet icmp
type code. Only available onicmp
protocol.
Important
To save a new flow or changes to an existing flow, save the HAProxy ALOHA configuration. Click on the Setup tab. In the Configuration section, click Save.
Display flow rules Jump to heading
The flowmgr service converts flows into iptables
chains. To display iptables
rules, use this command:
nix
iptables -L -t mangle
nix
iptables -L -t mangle
Flow manager invocation options Jump to heading
Invocation options for the flowmgr service are configured on the Services tab.
Examples Jump to heading
In this section, we demonstrate examples that use the Flow manager.
Match by IP address and port Jump to heading
In flow ssh
:
-
Any packet not originating on the 192.168.0.0/24 network is not permitted by this flow but is passed through to the next flow for processing.
-
Any packet that originates on the 192.168.0.0/24 network is permitted if it is TCP protocol and targeted for IP/port 192.168.0.1:22. If the packet does not match these conditions, it is passed through to the next flow for processing.
haproxyflow ssh permitignore not src 192.168.0.0/24match proto tcp dst 192.168.0.1 dstport 22haproxyflow ssh permitignore not src 192.168.0.0/24match proto tcp dst 192.168.0.1 dstport 22
Match UDP packets Jump to heading
In flow dns
:
-
Any UDP packet targeted for IP/port 192.168.0.1:53 is permitted. If the packet does not match these conditions, it is passed through to the next flow for processing.
haproxyflow dns permitmatch proto udp dst 192.168.0.1 dstport 53haproxyflow dns permitmatch proto udp dst 192.168.0.1 dstport 53
Match ICMP messages Jump to heading
In flow ping
:
-
Any ICMP packet targeted for IP 192.168.0.1 with an
icmptype
value of0
is permitted. If the packet does not match these conditions, it is passed to the next rule for processing. -
Any packet not originating on the 192.168.0.0/24 network is not permitted by this flow but is passed through to the next flow for processing. If the packet does originate on the 192.168.0.0/24 network, it is passed to the next rule for processing.
-
Any ICMP packet targeted for IP 192.168.0.1 is permitted. If the packet does not match these conditions, it is passed through to the next flow for processing.
haproxyflow ping permitmatch proto icmp dst 192.168.0.1 icmptype 0ignore not src 192.168.0.0/24match proto icmp dst 192.168.0.1haproxyflow ping permitmatch proto icmp dst 192.168.0.1 icmptype 0ignore not src 192.168.0.0/24match proto icmp dst 192.168.0.1
Route traffic to LVS Jump to heading
In flow mail
:
-
Any TCP packet targeted for IP/port 192.168.0.2:110 is sent to LVS director
maildirect
. If the packet does not match these conditions, it is passed through to the next rule for processing. -
Any TCP packet targeted for IP/port 192.168.0.2:143 is sent to LVS director
maildirect
. If the packet does not match these conditions, it is passed through to the next rule for processing. -
Any TCP packet targeted for IP/port 192.168.0.2:25 is sent to LVS director
maildirect
. If the packet does not match these conditions, it is passed through to the next flow for processing.haproxyflow mail director maildirectmatch proto tcp dst 192.168.0.2 dstport 110match proto tcp dst 192.168.0.2 dstport 143match proto tcp dst 192.168.0.2 dstport 25haproxyflow mail director maildirectmatch proto tcp dst 192.168.0.2 dstport 110match proto tcp dst 192.168.0.2 dstport 143match proto tcp dst 192.168.0.2 dstport 25
Block unpermitted traffic Jump to heading
In flow alltherest
:
-
All packets are blocked. This flow is useful for placing at the end of the flowmgr configuration to block all traffic not explicitly permitted in preceding flows.
haproxyflow alltherest denymatchhaproxyflow alltherest denymatch
Do you have any suggestions on how we can improve the content of this page?