|
|
|
|
|
|
by wtarreau
744 days ago
|
|
|
UDP through a proxy is total non-sense. There isn't any single UDP-based service that is cleanly proxyable. Not just one. Most of them rely on the source IP address itself (plus port) or announce it in the protocol, then require either to spoof the source address and reconfigure all servers to route responses through the proxy, or the proxy to mangle the contents (not even always possible). There's no notion or indication of beginning nor end of connection, packet direction, nor number of packets expected in each direction. Sometimes assigned ports on both sides are not even compatible anymore with some protocols. And it's even funnier when some users want to proxy some IPv6 traffic to an IPv4 server and they don't even understand that it's not possible to perform transparent proxying in this case. UDP has always been for light stateless stuff on direct connections, and a proxy is everything but that. In short, only services that support being NATted by a firewall will be transportable over a proxy (sometimes with some efforts), and will always be better handled using LVS that does that natively, with less overhead, less resources and less configuration. I've yet to see a single valid case for generic UDP proxying. The only cases that make sense are service proxies (syslog proxy, DNS proxy etc), which I'm perfectly fine with. For example our syslog proxy can listen to UDP and forward to UDP, TCP and/or stdout, message by message. But for now I'll continue to firmly oppose to the supporting generic UDP in haproxy and I will continue to tell requesters that their demand is stupid and proves a very poor understanding of networking basics. In the end there's a nice tradeoff: internally at HAProxyTech some of my coworkers have implemented generic proxying in the enterprise edition for all those whom we don't want to say their demand is stupid, because they're willing to pay to avoid using their brain. They're happy with that (at least I hope so), and we don't have to pollute the core with code trying to plug uncovered areas for people complaining on an issue tracker that something does not work due to their uneducated architectural choices. So in the end everyone wins. |
|
|
Then when a packet comes in, you decide which origin to forward it to (by unspecified magic), and then send it on annotated with the source ip and port. Replies from the server would include the desired destination ip and port. TURN can also setup a 'channel' so data packets skip the addressing. The end client facing service ip and port would be implicitly linked to the internal TURN service ip and port.
I think the turn server I've been working with could do this out of the box for a single origin server with specific configuration. With a single origin server, it's not very useful other than proof of concept, of course.
But LVS or some other lower level balancing, where ideally the origins are configured with the service ip and port, and outbound packets don't need munging (DSR) sounds like a much better idea. Any sort of rules based forwarding based on a generic UDP packet seems hopelessly complex because of tracking state on stateless protocols.