Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Loxilb SYNProxy support? #670

Open
vincentmli opened this issue May 9, 2024 · 3 comments
Open

Loxilb SYNProxy support? #670

vincentmli opened this issue May 9, 2024 · 3 comments
Labels
enhancement New feature or request status:planning

Comments

@vincentmli
Copy link

vincentmli commented May 9, 2024

Is your feature request related to a problem? Please describe.

For standalone layer 4 balancer, SYNPROXY seems to be common feature to stop TCP SYN/ACK/RST DDoS attack before load balancer doing real load balance. if loxilb data path has internal SYNPROXY implementation, it would be appealing to loxilb users.

Describe the solution you'd like

To run loxilb in BPFire OS as standalone layer 4 load balancer. my original tcp client packet path is: SYN -> XDP SYNPROXY -> loxilb TC LB, but then I realized and tested that XDP SYNPROXY requires working with iptables SYNPROXY module and netfilter conntrack, but loxilb bypass netfilter and has its own internal conntrack implementation, they would not work together, so see alternative below

Describe alternatives you've considered

in loxilb TC data path pipe line, could do:

SYN -> loxilb TC data path
               |--> A: first tail call SYNPROXY code
               |--> B: then continue loxilb LB if client ACK validated by SYNPROXY

I think the code in kernel tree test_tcp_custom_syncookie.c with some modification for loxilb might be workable code as above A SYNPROXY, the code does not involve netfilter or netfilter conntrack.

Additional context

I already ported in kernel tree XDP SYNPROXY code to BPFire OS and it works well with netfilter NAT port forward with high throughput BPFire XDP SYNPROXY under DPDK Pktgen 10Gbit SYN Flood Attack, since loxilb can not only replace the netfilter NAT function, but also do load balancing, with addition of SYNRPOXY in loxilb, it is even better.

@vincentmli vincentmli added the enhancement New feature or request label May 9, 2024
@TrekkieCoder
Copy link
Collaborator

It might not be too difficult to implement. Will keep you posted about the progress on this.

@vincentmli
Copy link
Author

@TrekkieCoder coming back to this, I wonder if it is possible or might even be easier to add syn cookie generation and validation in the tcp state tracking code here https://github.com/loxilb-io/loxilb-ebpf/blob/main/kernel/llb_kern_ct.c#L263-L481 ? no hook, no tail call needed, built in the state conntrack core code?

@TrekkieCoder
Copy link
Collaborator

@TrekkieCoder coming back to this, I wonder if it is possible or might even be easier to add syn cookie generation and validation in the tcp state tracking code here https://github.com/loxilb-io/loxilb-ebpf/blob/main/kernel/llb_kern_ct.c#L263-L481 ? no hook, no tail call needed, built in the state conntrack core code?

Yes it should be possible to do it here as you suggested. Sorry for the delay in getting to this. Since this is a very interesting feature, planning to get it done soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request status:planning
Projects
None yet
Development

No branches or pull requests

2 participants