Re: Half--NAT

From: Willy Tarreau <>
Date: Fri, 25 Mar 2011 06:32:27 +0100

On Thu, Mar 24, 2011 at 05:41:56PM -0600, Jason J. W. Williams wrote:
> >
> > somebody wanna make it do DSR next? :)
> >
> > -r
> Just from a cursory look, that seems like something TPROXY would need to be
> extended to support and then HAProxy could leverage it. Should only take a
> weekend right? ;)

Just in case you were not kidding, let me remind you that DSR is not possible on Layer 7, and anybody who sells you that is simply lying : - for DSR to work, the server must be able to respond directly to the client.

=> if the intermediary chooses a random seq number during the handshake,

   once it forwards the connection to the server, it has no way to tell    the server to reuse the same random and to work with it. It has no    way either to force it to use the parameters it used during the handshake.

The server will thus chose its own and respond to the client with them. Obviously, the client will reject them, and will either drop the packets, reset the connection or enter in an ACK storm with the server if both sides believe the other is wrong.

That said, with the hardware we find nowadays, DSR is less commonly a requirement. Building a 10gig-capable proxy is possible out of a $1500 machine. DSR was invented at a time where LBs were not capable of handling the massive traffic some sites were using.

Still, using DSR on L4 LBs in front of an L7 LB farm makes sense to scale to very high loads when you need tens or hundreds of gigabits (fortunately very few sites need that right now).

Willy Received on 2011/03/25 06:32

This archive was generated by hypermail 2.2.0 : 2011/03/25 06:45 CET