Tcp-connect with set-mark

crisrodrigues · February 12, 2019, 7:27pm

Hi,

We use http-request set-mark directive to add a mark to inform routing decisions.

But now we’re trying to check backend connections with the following:

defaults
    option tcp-check

backend b
    tcp-check connect
    server ...

But that tcp-check isn’t getting marked at all (obvious since we mark it using http-request set-mark) but we can’t seem to find a way to have those checks have the same mark as the requests.

Since without those mark the routing decision is wrong, the backend is always declared as DOWN…which wouldn’t happen if we could properly either mark the connection or have our source IP address set like we asked here:

https://discourse.haproxy.org/t/source-directive-based-on-outgoing-family/3501/2

Is there any way to achieve the Netfilter mark for TCP checks?

ciprian.craciun · February 13, 2019, 6:37am

According to the documentation the http-request set-mark only applies that mark to the client packet, not the server one.

Are you sure that marks work correctly on the server packets?

crisrodrigues · February 14, 2019, 2:56am

Hi Ciprian,

You’re right: We’re just getting the client-facing con marked…which doesn’t do what we need.

We need either a mark or a tos on the backend-facing conn…which doesn’t seem to be possible using haproxy

ciprian.craciun · February 14, 2019, 5:46am

Can’t you just use iptables to mark packets going to a particular destination?
(Or even ip rule and route based on the destination IP?)

crisrodrigues · February 14, 2019, 5:04pm

ip rule can’t be used because the backend has a dynamic DNS entry, so no.

And using iptables seems problematic for the same reason. That’s why I wanted to either set-mark or set-tos the outgoing connection using haproxy.

ciprian.craciun · February 14, 2019, 6:20pm

Then it means that the HAProxy is doing a DNS request from time-to-time to resolve the new IP of the server. Therefore you could do the same, namely create a cron-job that tries to resolve the IP and configure iptables (perhaps via ipset).

If you configure the connection timeout of the server long enough, more than the frequency of your “check script”, you won’t loose any requests, just face some “hickups” from time-to-time when the actual IP changes.

However if you depend on the TOS or set-mark for packets towards the server it means you have a different routing table for those servers. Then can’t you “jump” the traffic from HAProxy to that server based on the source IP of the TCP connection?

For example you could configure source with <addr> to a particular IP, then move all the packets based on that source address via ip rule to a different table, and in the end make a SNAT (or -j masquarade) to “fix” the source IP if needed.

Topic		Replies	Views
Clarification on backend server configuration Help!	4	392	May 19, 2022
Dynamic backend server port from request Help!	3	2322	August 31, 2018
Blocking a IP Adress via a map lookup Help!	0	458	August 4, 2021
Transparent proxy - configure backend servers Help!	4	6221	December 17, 2019
Little bit of help on tcp-request content reject Help!	0	654	July 18, 2022

Tcp-connect with set-mark

Related Topics