Difference between revisions of "IPVS FULLNAT and SYNPROXY"
m (→Introduction: wording) |
m |
||
Line 5: | Line 5: | ||
The main principle: the module introduce local ip address (IDC internal ip address, lip), IPVS translate cip-vip to lip-rip, lip and rip both are IDC internal ip address, so LVS-RS is capable of inter-vlan communication, while RS only need to access internal network. | The main principle: the module introduce local ip address (IDC internal ip address, lip), IPVS translate cip-vip to lip-rip, lip and rip both are IDC internal ip address, so LVS-RS is capable of inter-vlan communication, while RS only need to access internal network. | ||
− | '''SYNPROXY: Defence module against | + | '''SYNPROXY: Defence module against synflooding attack''' |
The main principle: based on tcp syncookies, please refer to http://en.wikipedia.org/wiki/SYN_cookies; | The main principle: based on tcp syncookies, please refer to http://en.wikipedia.org/wiki/SYN_cookies; |
Revision as of 08:42, 8 August 2012
Contents
Introduction
FULLNAT: A new packet forwarding model for IPVS besides DR/NAT/TUNNEL
The main principle: the module introduce local ip address (IDC internal ip address, lip), IPVS translate cip-vip to lip-rip, lip and rip both are IDC internal ip address, so LVS-RS is capable of inter-vlan communication, while RS only need to access internal network.
SYNPROXY: Defence module against synflooding attack
The main principle: based on tcp syncookies, please refer to http://en.wikipedia.org/wiki/SYN_cookies;
This FullNAT and SYNPROXY code for IPVS in Linux kernel 2.6.32 was written by Jian Chen at 360.cn, Jiaming Wu at taobao.com, with some advising from Wensong Zhang at taobao.com. The code was affected by ideas of the source NAT and SYNPROXY version that was hard coded to IPVS in Linux kernel 2.6.9 by Wen Li, Yan Tian, Jian Chen, Yang Yi,Yaoguang Sun, Fang Han, Ying liu and Jiaming Wu at baidu.com in 2009.
The FULLNAT and SYNPROXY support were added to keepalived/ipvsadm by Jiajun Chen,Ziang Chen and Shunmin Zhu at taobao.com.
Please note that FULLNAT and SYNPROXY only had limited testing.
Document
Media:lvs-fullnat-synproxy-doc.zip
Download
Media:lvs-fullnat-synproxy.tar.gz
Media:linux-2.6.32-220.23.1.el6.x86_64.lvs.src.tar.gz
Media:linux-2.6.32-220.23.1.el6.x86_64.rs.src.tar.gz
Building
1. LVS Kernel
1.1 get kernel rpm from redhat
wget ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm
1.2 get kernel source code from rpm
vim ~/.rpmmacros; add: %_topdir /home/pukong/rpms %_tmppath /home/pukong/rpms/tmp %_sourcedir /home/pukong/rpms/SOURCES %_specdir /home/pukong/rpms/SPECS %_srcrpmdir /home/pukong/rpms/SRPMS %_rpmdir /home/pukong/rpms/RPMS %_builddir /home/pukong/rpms/BUILD cd /home/pukong; mkdir rpms; mkdir rpms/tmp; mkdir rpms/SOURCES; mkdir rpms/SPECS; mkdir rpms/SRPMS; mkdir rpms/RPMS; mkdir rpms/BUILD; rpm -ivh kernel-2.6.32-220.23.1.el6.src.rpm; cd /home/pukong/rpms/SPECS; rpmbuild -bp kernel.spec;
then you can find kernel source code in /home/pukong/rpms/BUILD.
1.3 add lvs patch
cd /home/pukong/rpms/BUILD/; cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/; cp lvs-2.6.32-220.23.1.el6.patch ./; patch -p1<lvs-2.6.32-220.23.1.el6.patch; // patch is in lvs-fullnat-synproxy.tar.gz
Or you can directly get source code from linux-2.6.32-220.23.1.el6.x86_64.lvs.src.tar.gz;
1.4 compile and install
make -j16; make modules_install; make install;
2. RealServer Kernel (TOA)
2.1 get kernel source code, the same as step 1.1 and 1.2;
2.2 add toa patch
cd /home/pukong/rpms/BUILD/; cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/; cp toa-2.6.32-220.23.1.el6.patch ./; patch -p1<toa-2.6.32-220.23.1.el6.patch; // patch is in lvs-fullnat-synproxy.tar.gz
Or you can get source code directly from linux-2.6.32-220.23.1.el6.x86_64.rs.src.tar.gz;
2.3 compile and install
make -j16; make modules_install; make install;
3. LVS Tools (keepalived/ipvsadm/quaage)
cd /home/pukong; cp lvs-tools.tar.gz ./; // lvs-tools.tar.gz is in lvs-fullnat-synproxy.tar.gz tar xzf lvs-tools.tar.gz;
3.1 keepalived install
cd /home/pukong/tools/keepalived; ./configure --with-kernel-dir="/lib/modules/`uname -r`/build"; make; make install;
3.2 ipvsadm install
cd /home/pukong/tools/ipvsadm; make; make install;
3.3 quaage install
cd /home/pukong/tools/quagga; ./configure --disable-ripd --disable-ripngd --disable-bgpd --disable-watchquagga --disable-doc --enable-user=root --enable-vty-group=root --enable-group=root --enable-zebra --localstatedir=/var/run/quagga
make
make; make install;