PacketShield

Overview

On this page

In HAProxy ALOHA, PacketShield protects against packet floods and protocol-level attacks.

PacketShield is provided as a kernel module. Its code is executed between the network driver and the kernel. This means that all rules configured in PacketShield apply before any other rule in HAProxy ALOHA (IP ACLs, flow manager, L4 load balancing (LVS), HAProxy, and so on).

PacketShield is multicore and configured through the Linux Virtual sysfs filesystem /sys/.

Important

After making changes using the GUI, make the changes persist after a reboot by going to the Setup tab and clicking Save within the Configuration section. After making changes using the CLI, execute config save to persist the changes.

Understanding PacketShield Jump to heading

PacketShield works like a stateful firewall able to process packets at wire speed. It is split into these components:

  • instance
    • An instance is associated with physical interfaces. Instances possess contexts.
  • context
    • Rule set applied to destination IPs (and potentially VLAN tag).

The diagram below shows how an incoming packet is treated when it reaches an HAProxy ALOHA where PacketShield is active:

text
                 <------- packetshield ------->
    physical interface ===> instance ========> context ====> system
                 (1)              (2)             (3)
text
                 <------- packetshield ------->
    physical interface ===> instance ========> context ====> system
                 (1)              (2)             (3)

  1. The packet comes in through a physical network interface. It crosses the interface itself and the driver delivers it to the PacketShield instance associated with this interface.

  2. Based on the destination IP address or destination IP + VLAN tag, a context and associated rules are applied.

  3. If the packet successfully passes all the protection rules, it is delivered to the system (the HAProxy ALOHA kernel).

Packet processing in PacketShield Jump to heading

When processing packets, PacketShield applies different types of rules, in the following order:

  1. Dropping invalid packets (enabled by default, not configurable)

  2. Denylisting per source IP

  3. Allowlisting per:

    • source IP
    • protocol
    • destination TCP port
    • destination UDP port

  4. Destination TCP port protection (based on known sessions, TTLs, SYN cookies, and so on).

    Info

    The first rule that matches the packet stops the processing.

Do you have any suggestions on how we can improve the content of this page?

Previous page PacketShield Next page Setup
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences