Hi Mathias, On Fri, Nov 18, 2022 at 11:38:06PM +0000, Mathias Weiersmüller (cyberheads GmbH) wrote: > Hi, > > I've accepted Willy's challenge from HAProxy.conf 2022, here is my shot:
Oh thank you! > The silent-drop action was extended with an additional optional parameter, > [rst-ttl <ttl> ], causing HAProxy to send a TCP RST with the specified TTL > towards the client. > > With this behaviour, the connection state on your own client-facing > middle-boxes (load balancers, firewalls) will be purged, but the client will > still assume the TCP connection is up because the TCP RST packet expires > before reaching the client. > > I think of it as another DDoS defense mechanism - this will save resources on > the middle-boxes (connection table exhaustion). Subsequent packets from a > silently-dropped connection will be already dropped by the upstream > equipment, saving resources on HAProxy and the network between middle-box(es) > and HAProxy. > > Comments welcome! Well, I've reviewed it completely, I have no comment to make, the patch is clean, minimal, documented, and it doesn't change any existing behaviour so I see no reason for not taking it now. Thus I'm merging it. Thank you! Willy