Hi, I've accepted Willy's challenge from HAProxy.conf 2022, here is my shot:
The silent-drop action was extended with an additional optional parameter, [rst-ttl <ttl> ], causing HAProxy to send a TCP RST with the specified TTL towards the client. With this behaviour, the connection state on your own client-facing middle-boxes (load balancers, firewalls) will be purged, but the client will still assume the TCP connection is up because the TCP RST packet expires before reaching the client. I think of it as another DDoS defense mechanism - this will save resources on the middle-boxes (connection table exhaustion). Subsequent packets from a silently-dropped connection will be already dropped by the upstream equipment, saving resources on HAProxy and the network between middle-box(es) and HAProxy. Comments welcome! Best regards Mathias
0001-MEDIUM-frontend-add-parameter-rst-ttl-to-silent-drop.patch
Description: 0001-MEDIUM-frontend-add-parameter-rst-ttl-to-silent-drop.patch