Difference between revisions of "IPVS FULLNAT and SYNPROXY"

From LVSKB
Jump to: navigation, search
(Download)
(Building)
Line 58: Line 58:
 
   cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/;
 
   cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/;
 
   cp lvs-2.6.32-220.23.1.el6.patch ./;
 
   cp lvs-2.6.32-220.23.1.el6.patch ./;
   patch -p1<lvs-2.6.32-220.23.1.el6.patch;
+
   patch -p1<lvs-2.6.32-220.23.1.el6.patch; // patch is in lvs-fullnat-synproxy.tar.gz
 +
 
  
 
   Or you can directly get source code from linux-2.6.32-220.23.1.el6.x86_64.lvs.src.tar.gz;
 
   Or you can directly get source code from linux-2.6.32-220.23.1.el6.x86_64.lvs.src.tar.gz;
Line 75: Line 76:
 
   cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/;
 
   cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/;
 
   cp toa-2.6.32-220.23.1.el6.patch ./;
 
   cp toa-2.6.32-220.23.1.el6.patch ./;
   patch -p1<toa-2.6.32-220.23.1.el6.patch;
+
   patch -p1<toa-2.6.32-220.23.1.el6.patch; // patch is in lvs-fullnat-synproxy.tar.gz
  
 
   Or you can get source code directly from linux-2.6.32-220.23.1.el6.x86_64.rs.src.tar.gz;
 
   Or you can get source code directly from linux-2.6.32-220.23.1.el6.x86_64.rs.src.tar.gz;

Revision as of 05:43, 31 July 2012

Introduction

FULLNAT: A new packet forwarding model as DR/NAT/TUNNEL

The main principle: introduce local ip address (IDC internal ip address, lip), IPVS translate cip-vip to lip-rip, lip and rip both are IDC internal ip address, so LVS-RS can be inter-vlan communication, and RS only need access to internal network.

SYNPROXY: synflood attack defence module

The main principle: based on tcp syncookies, please refer to http://en.wikipedia.org/wiki/SYN_cookies;


The first FULLNAT and SYNPROXY modules were added to IPVS in Linux kernel 2.6.9 by WenLi,YanTian,JianChen,YangYi,YaoguangSun, FangHan,Yingliu and JiamingWu. Now, the second FULLNAT and SYNPROXY modules were added in Linux kernel 2.6.32 by JianChen,JiamingWu and WensongZhang;

The FULLNAT and SYNPROXY support was add to keepalived/ipvsadm by JiajunChen,ZiangChen and ShunminZhu.

Please note that FULLNAT and SYNPROXY have only had limited testing.

Document

File:LVS操作手册

Download

Media:lvs-fullnat-synproxy.tar.gz

Building

1. LVS Kernel

1.1 get kernel rpm from redhat

 wget ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm

1.2 get kernel source code from rpm

 vim ~/.rpmmacros;
   add:
     %_topdir /home/pukong/rpms
     %_tmppath /home/pukong/rpms/tmp
     %_sourcedir /home/pukong/rpms/SOURCES
     %_specdir /home/pukong/rpms/SPECS
     %_srcrpmdir /home/pukong/rpms/SRPMS
     %_rpmdir /home/pukong/rpms/RPMS
     %_builddir /home/pukong/rpms/BUILD
 cd /home/pukong;
   mkdir rpms;
   mkdir rpms/tmp;
   mkdir rpms/SOURCES;
   mkdir rpms/SPECS;
   mkdir rpms/SRPMS;
   mkdir rpms/RPMS;
   mkdir rpms/BUILD;
 rpm -ivh kernel-2.6.32-220.23.1.el6.src.rpm;
 cd /home/pukong/rpms/SPECS;
 rpmbuild -bp kernel.spec;
 then you can find kernel source code in /home/pukong/rpms/BUILD.

1.3 add lvs patch

 cd /home/pukong/rpms/BUILD/;
 cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/;
 cp lvs-2.6.32-220.23.1.el6.patch ./;
 patch -p1<lvs-2.6.32-220.23.1.el6.patch; // patch is in lvs-fullnat-synproxy.tar.gz 


 Or you can directly get source code from linux-2.6.32-220.23.1.el6.x86_64.lvs.src.tar.gz;

1.4 compile and install

 make -j16;
 make modules_install;
 make install;

2. RealServer Kernel (TOA)

2.1 get kernel source code, the same as step 1.1 and 1.2;

2.2 add toa patch

 cd /home/pukong/rpms/BUILD/;
 cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/;
 cp toa-2.6.32-220.23.1.el6.patch ./;
 patch -p1<toa-2.6.32-220.23.1.el6.patch; // patch is in lvs-fullnat-synproxy.tar.gz 
 Or you can get source code directly from linux-2.6.32-220.23.1.el6.x86_64.rs.src.tar.gz;

2.3 compile and install

 make -j16;
 make modules_install;
 make install;

3. LVS Tools (keepalived/ipvsadm/quaage)

 cd /home/pukong;
 cp lvs-tools.tar.bz2 ./;
 tar xzf lvs-tools.tar.bz2;
 cd tools;

3.1 keepalived install

 cd keepalived;
 ./configure --with-kernel-dir="/lib/modules/`uname -r`/build";
 make;
 make install;

3.2 ipvsadm install

 cd ipvsadm;
 make;
 make install;

3.3 quaage install

 cd quagga;
 ./configure --disable-ripd --disable-ripngd --disable-bgpd --disable-watchquagga --disable-doc  --enable-user=root --enable-vty-group=root --enable-group=root --enable-zebra --localstatedir=/var/run/quagga

make

 make;
 make install;