Difference between revisions of "IPVS FULLNAT and SYNPROXY"

Latest revision as of 10:42, 9 August 2012

Introduction

FullNAT: A new packet forwarding method for IPVS, other than DR/NAT/TUNNEL

The main principle is as follows: the module introduces local ip address (IDC internal ip address, lip), IPVS translates cip-vip to/from lip-rip, in which lip and rip both are IDC internal ip address, so that LVS load balancer and real servers can be in different vlans, and real servers only need to access internal network. See Virtual Server via Full NAT for more information.

SYNPROXY: Defence module against synflooding attack

The main principle: based on tcp syncookies, please refer to http://en.wikipedia.org/wiki/SYN_cookies;

This FullNAT and SYNPROXY code for IPVS in Linux kernel 2.6.32 was written by Jiaming Wu at taobao.com, Jian Chen at 360.cn, and Shunmin Zhu at taobao.com, with some advising from Wensong Zhang at taobao.com. The code was affected by ideas of the source NAT and SYNPROXY version that was hard coded to IPVS in Linux kernel 2.6.9 by Wen Li, Yan Tian, Jian Chen, Yang Yi, Yaoguang Sun, Fang Han, Ying liu and Jiaming Wu at baidu.com in 2009.

The FullNAT and SYNPROXY support were added to keepalived/ipvsadm by Jiajun Chen and Ziang Chen at taobao.com.

Please note that FullNAT and SYNPROXY only had limited testing.

Document

Media:LVS操作手册.zip

Media:lvs-fullnat-synproxy-doc.zip

Download

Media:lvs-fullnat-synproxy.tar.gz

Media:linux-2.6.32-220.23.1.el6.x86_64.lvs.src.tar.gz

Media:linux-2.6.32-220.23.1.el6.x86_64.rs.src.tar.gz

Building

1. LVS Kernel

1.1 get kernel rpm from redhat

 wget ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm

1.2 get kernel source code from rpm

 vim ~/.rpmmacros;
   add:
     %_topdir /home/pukong/rpms
     %_tmppath /home/pukong/rpms/tmp
     %_sourcedir /home/pukong/rpms/SOURCES
     %_specdir /home/pukong/rpms/SPECS
     %_srcrpmdir /home/pukong/rpms/SRPMS
     %_rpmdir /home/pukong/rpms/RPMS
     %_builddir /home/pukong/rpms/BUILD
 cd /home/pukong;
   mkdir rpms;
   mkdir rpms/tmp;
   mkdir rpms/SOURCES;
   mkdir rpms/SPECS;
   mkdir rpms/SRPMS;
   mkdir rpms/RPMS;
   mkdir rpms/BUILD;
 rpm -ivh kernel-2.6.32-220.23.1.el6.src.rpm;
 cd /home/pukong/rpms/SPECS;
 rpmbuild -bp kernel.spec;

 then you can find kernel source code in /home/pukong/rpms/BUILD.

1.3 add lvs patch

 cd /home/pukong/rpms/BUILD/;
 cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/;
 cp lvs-2.6.32-220.23.1.el6.patch ./;
 patch -p1<lvs-2.6.32-220.23.1.el6.patch; // patch is in lvs-fullnat-synproxy.tar.gz

 Or you can directly get source code from linux-2.6.32-220.23.1.el6.x86_64.lvs.src.tar.gz;

1.4 compile and install

 make -j16;
 make modules_install;
 make install;

2. RealServer Kernel (TOA)

2.1 get kernel source code, the same as step 1.1 and 1.2;

2.2 add toa patch

 cd /home/pukong/rpms/BUILD/;
 cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/;
 cp toa-2.6.32-220.23.1.el6.patch ./;
 patch -p1<toa-2.6.32-220.23.1.el6.patch; // patch is in lvs-fullnat-synproxy.tar.gz

 Or you can get source code directly from linux-2.6.32-220.23.1.el6.x86_64.rs.src.tar.gz;

2.3 compile and install

 make -j16;
 make modules_install;
 make install;

3. LVS Tools (keepalived/ipvsadm/quaage)

 cd /home/pukong;
 cp lvs-tools.tar.gz ./; // lvs-tools.tar.gz is in lvs-fullnat-synproxy.tar.gz 
 tar xzf lvs-tools.tar.gz;

3.1 keepalived install

 cd /home/pukong/tools/keepalived;
 ./configure --with-kernel-dir="/lib/modules/`uname -r`/build";
 make;
 make install;

3.2 ipvsadm install

 cd /home/pukong/tools/ipvsadm;
 make;
 make install;

3.3 quaage install

 cd /home/pukong/tools/quagga;
 ./configure --disable-ripd --disable-ripngd --disable-bgpd --disable-watchquagga --disable-doc  --enable-user=root --enable-vty-group=root --enable-group=root --enable-zebra --localstatedir=/var/run/quagga

make

 make;
 make install;

@@ Line 1: / Line 1: @@
 == Introduction==
-'''FULLNAT: A new packet forwarding model as DR/NAT/TUNNEL'''
+'''FullNAT: A new packet forwarding method for IPVS, other than DR/NAT/TUNNEL'''
-The main principle: introduce local ip address (IDC internal ip address, lip), IPVS translate cip-vip to lip-rip, lip and rip both are IDC internal ip address, so LVS-RS can be inter-vlan communication, and RS only need access to internal network.
+The main principle is as follows: the module introduces local ip address (IDC internal ip address, lip), IPVS translates cip-vip to/from lip-rip, in which lip and rip both are IDC internal ip address, so that LVS load balancer and real servers can be in different vlans, and real servers only need to access internal network. See [[LVS/FNAT | Virtual Server via Full NAT]] for more information.
-'''SYNPROXY: synflood attack defence module'''
+'''SYNPROXY: Defence module against synflooding attack'''
 The main principle: based on tcp syncookies, please refer to http://en.wikipedia.org/wiki/SYN_cookies;
-The first FULLNAT and SYNPROXY modules were added to IPVS in Linux kernel 2.6.9 by WenLi,YanTian,JianChen, YangYi,YaoguangSun,FangHan,Yingliu and JiamingWu. Now, the second FULLNAT and SYNPROXY modules were added in Linux kernel 2.6.32 by JianChen,JiamingWu and WensongZhang;
+This FullNAT and SYNPROXY code for IPVS in Linux kernel 2.6.32 was written by Jiaming Wu at taobao.com, Jian Chen at 360.cn, and Shunmin Zhu at taobao.com, with some advising from Wensong Zhang at taobao.com. The code was affected by ideas of the source NAT and SYNPROXY version that was hard coded to IPVS in Linux kernel 2.6.9 by Wen Li, Yan Tian, Jian Chen, Yang Yi, Yaoguang Sun, Fang Han, Ying liu and Jiaming Wu at baidu.com in 2009.
-The FULLNAT and SYNPROXY support was add to keepalived/ipvsadm by JiajunChen,ZiangChen and ShunminZhu.
-Please note that FULLNAT and SYNPROXY have only had limited testing.
+The FullNAT and SYNPROXY support were added to keepalived/ipvsadm by Jiajun Chen and Ziang Chen at taobao.com.
+Please note that FullNAT and SYNPROXY only had limited testing.
 == Document ==
+[[Media:LVS操作手册.zip]]
+[[Media:lvs-fullnat-synproxy-doc.zip]]
 == Download ==
+[[Media:lvs-fullnat-synproxy.tar.gz]]
+[[Media:linux-2.6.32-220.23.1.el6.x86_64.lvs.src.tar.gz]]
+[[Media:linux-2.6.32-220.23.1.el6.x86_64.rs.src.tar.gz]]
 == Building ==
@@ Line 57: / Line 67: @@
    cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/;
    cp lvs-2.6.32-220.23.1.el6.patch ./;
-   patch -p1<lvs-2.6.32-220.23.1.el6.patch;
+   patch -p1<lvs-2.6.32-220.23.1.el6.patch; // patch is in lvs-fullnat-synproxy.tar.gz
    Or you can directly get source code from linux-2.6.32-220.23.1.el6.x86_64.lvs.src.tar.gz;
@@ Line 74: / Line 85: @@
    cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/;
    cp toa-2.6.32-220.23.1.el6.patch ./;
-   patch -p1<toa-2.6.32-220.23.1.el6.patch;
+   patch -p1<toa-2.6.32-220.23.1.el6.patch; // patch is in lvs-fullnat-synproxy.tar.gz
    Or you can get source code directly from linux-2.6.32-220.23.1.el6.x86_64.rs.src.tar.gz;
@@ Line 85: / Line 96: @@
 . LVS Tools (keepalived/ipvsadm/quaage)
    cd /home/pukong;
-   cp lvs-tools.tar.bz2 ./;
+   cp lvs-tools.tar.gz ./; // lvs-tools.tar.gz is in lvs-fullnat-synproxy.tar.gz
-   tar xzf lvs-tools.tar.bz2;
+   tar xzf lvs-tools.tar.gz;
-  cd tools;
 .1 keepalived install
-   cd keepalived;
+   cd /home/pukong/tools/keepalived;
    ./configure --with-kernel-dir="/lib/modules/`uname -r`/build";
    make;
@@ Line 96: / Line 106: @@
 .2 ipvsadm install
-   cd ipvsadm;
+   cd /home/pukong/tools/ipvsadm;
    make;
    make install;
 .3 quaage install
-   cd quagga;
+   cd /home/pukong/tools/quagga;
    ./configure --disable-ripd --disable-ripngd --disable-bgpd --disable-watchquagga --disable-doc  --enable-user=root --enable-vty-group=root --enable-group=root --enable-zebra --localstatedir=/var/run/quagga
 make

Difference between revisions of "IPVS FULLNAT and SYNPROXY"

Latest revision as of 10:42, 9 August 2012

Contents

Introduction

Document

Download

Building

Navigation menu

Views

Personal tools

Navigation

Search

Tools