search

loxilb-io / loxilb

eBPF based cloud-native load-balancer. Powering Kubernetes|Edge|5G|IoT|XaaS Apps.
https://www.loxilb.io
Apache License 2.0
1.25k stars 80 forks source link

Loxilb SYNProxy support? #670

Open vincentmli opened 1 month ago

vincentmli commented 1 month ago

Is your feature request related to a problem? Please describe.

For standalone layer 4 balancer, SYNPROXY seems to be common feature to stop TCP SYN/ACK/RST DDoS attack before load balancer doing real load balance. if loxilb data path has internal SYNPROXY implementation, it would be appealing to loxilb users.

Describe the solution you'd like

To run loxilb in BPFire OS as standalone layer 4 load balancer. my original tcp client packet path is: SYN -> XDP SYNPROXY -> loxilb TC LB, but then I realized and tested that XDP SYNPROXY requires working with iptables SYNPROXY module and netfilter conntrack, but loxilb bypass netfilter and has its own internal conntrack implementation, they would not work together, so see alternative below

Describe alternatives you've considered

in loxilb TC data path pipe line, could do:

SYN -> loxilb TC data path
               |--> A: first tail call SYNPROXY code
               |--> B: then continue loxilb LB if client ACK validated by SYNPROXY

I think the code in kernel tree test_tcp_custom_syncookie.c with some modification for loxilb might be workable code as above A SYNPROXY, the code does not involve netfilter or netfilter conntrack.

Additional context

I already ported in kernel tree XDP SYNPROXY code to BPFire OS and it works well with netfilter NAT port forward with high throughput BPFire XDP SYNPROXY under DPDK Pktgen 10Gbit SYN Flood Attack, since loxilb can not only replace the netfilter NAT function, but also do load balancing, with addition of SYNRPOXY in loxilb, it is even better.

TrekkieCoder commented 1 month ago

It might not be too difficult to implement. Will keep you posted about the progress on this.