Difference between revisions of "IPVS FULLNAT and SYNPROXY"

From LVSKB
Jump to: navigation, search
(Introduction)
(Introduction)
Line 1: Line 1:
 
== Introduction==
 
== Introduction==
  
'''FULLNAT: A new packet forwarding model as DR/NAT/TUNNEL'''
+
'''FULLNAT: A new packet forwarding model for IPVS besides DR/NAT/TUNNEL'''
  
The main principle: introduce local ip address (IDC internal ip address, lip), IPVS translate cip-vip to lip-rip, lip and rip both are IDC internal ip address, so LVS-RS can be inter-vlan communication, and RS only need access to internal network.
+
The main principle: the module introduces introduce local ip address (IDC internal ip address, lip), IPVS translate cip-vip to lip-rip, lip and rip both are IDC internal ip address, so LVS-RS is capable of inter-vlan communication, while RS only need to access internal network.
  
'''SYNPROXY: synflood attack defence module'''
+
'''SYNPROXY: Defence module against synflood attack'''
  
 
The main principle: based on tcp syncookies, please refer to http://en.wikipedia.org/wiki/SYN_cookies;
 
The main principle: based on tcp syncookies, please refer to http://en.wikipedia.org/wiki/SYN_cookies;
Line 12: Line 12:
 
The first version of FULLNAT and SYNPROXY were added to IPVS in Linux kernel 2.6.9 by WenLi,YanTian,JianChen,YangYi,YaoguangSun, FangHan,Yingliu and JiamingWu. Now, the second version were added in Linux kernel 2.6.32 by JianChen,JiamingWu and WensongZhang at TAOBAO;  
 
The first version of FULLNAT and SYNPROXY were added to IPVS in Linux kernel 2.6.9 by WenLi,YanTian,JianChen,YangYi,YaoguangSun, FangHan,Yingliu and JiamingWu. Now, the second version were added in Linux kernel 2.6.32 by JianChen,JiamingWu and WensongZhang at TAOBAO;  
  
The FULLNAT and SYNPROXY support was added to keepalived/ipvsadm by JiajunChen,ZiangChen and ShunminZhu.  
+
The FULLNAT and SYNPROXY support were added to keepalived/ipvsadm by JiajunChen,ZiangChen and ShunminZhu.  
  
 
Please note that FULLNAT and SYNPROXY only had limited testing.
 
Please note that FULLNAT and SYNPROXY only had limited testing.

Revision as of 09:34, 31 July 2012

Introduction

FULLNAT: A new packet forwarding model for IPVS besides DR/NAT/TUNNEL

The main principle: the module introduces introduce local ip address (IDC internal ip address, lip), IPVS translate cip-vip to lip-rip, lip and rip both are IDC internal ip address, so LVS-RS is capable of inter-vlan communication, while RS only need to access internal network.

SYNPROXY: Defence module against synflood attack

The main principle: based on tcp syncookies, please refer to http://en.wikipedia.org/wiki/SYN_cookies;


The first version of FULLNAT and SYNPROXY were added to IPVS in Linux kernel 2.6.9 by WenLi,YanTian,JianChen,YangYi,YaoguangSun, FangHan,Yingliu and JiamingWu. Now, the second version were added in Linux kernel 2.6.32 by JianChen,JiamingWu and WensongZhang at TAOBAO;

The FULLNAT and SYNPROXY support were added to keepalived/ipvsadm by JiajunChen,ZiangChen and ShunminZhu.

Please note that FULLNAT and SYNPROXY only had limited testing.

Document

Media:LVS操作手册.zip

Media:lvs-fullnat-synproxy-doc.zip

Download

Media:lvs-fullnat-synproxy.tar.gz

Media:linux-2.6.32-220.23.1.el6.x86_64.lvs.src.tar.gz

Media:linux-2.6.32-220.23.1.el6.x86_64.rs.src.tar.gz

Building

1. LVS Kernel

1.1 get kernel rpm from redhat

 wget ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm

1.2 get kernel source code from rpm

 vim ~/.rpmmacros;
   add:
     %_topdir /home/pukong/rpms
     %_tmppath /home/pukong/rpms/tmp
     %_sourcedir /home/pukong/rpms/SOURCES
     %_specdir /home/pukong/rpms/SPECS
     %_srcrpmdir /home/pukong/rpms/SRPMS
     %_rpmdir /home/pukong/rpms/RPMS
     %_builddir /home/pukong/rpms/BUILD
 cd /home/pukong;
   mkdir rpms;
   mkdir rpms/tmp;
   mkdir rpms/SOURCES;
   mkdir rpms/SPECS;
   mkdir rpms/SRPMS;
   mkdir rpms/RPMS;
   mkdir rpms/BUILD;
 rpm -ivh kernel-2.6.32-220.23.1.el6.src.rpm;
 cd /home/pukong/rpms/SPECS;
 rpmbuild -bp kernel.spec;
 then you can find kernel source code in /home/pukong/rpms/BUILD.

1.3 add lvs patch

 cd /home/pukong/rpms/BUILD/;
 cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/;
 cp lvs-2.6.32-220.23.1.el6.patch ./;
 patch -p1<lvs-2.6.32-220.23.1.el6.patch; // patch is in lvs-fullnat-synproxy.tar.gz 


 Or you can directly get source code from linux-2.6.32-220.23.1.el6.x86_64.lvs.src.tar.gz;

1.4 compile and install

 make -j16;
 make modules_install;
 make install;

2. RealServer Kernel (TOA)

2.1 get kernel source code, the same as step 1.1 and 1.2;

2.2 add toa patch

 cd /home/pukong/rpms/BUILD/;
 cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/;
 cp toa-2.6.32-220.23.1.el6.patch ./;
 patch -p1<toa-2.6.32-220.23.1.el6.patch; // patch is in lvs-fullnat-synproxy.tar.gz 
 Or you can get source code directly from linux-2.6.32-220.23.1.el6.x86_64.rs.src.tar.gz;

2.3 compile and install

 make -j16;
 make modules_install;
 make install;

3. LVS Tools (keepalived/ipvsadm/quaage)

 cd /home/pukong;
 cp lvs-tools.tar.gz ./; // lvs-tools.tar.gz is in lvs-fullnat-synproxy.tar.gz 
 tar xzf lvs-tools.tar.gz;
 cd tools;

3.1 keepalived install

 cd keepalived;
 ./configure --with-kernel-dir="/lib/modules/`uname -r`/build";
 make;
 make install;

3.2 ipvsadm install

 cd ipvsadm;
 make;
 make install;

3.3 quaage install

 cd quagga;
 ./configure --disable-ripd --disable-ripngd --disable-bgpd --disable-watchquagga --disable-doc  --enable-user=root --enable-vty-group=root --enable-group=root --enable-zebra --localstatedir=/var/run/quagga

make

 make;
 make install;