Difference between revisions of "IPVS FULLNAT and SYNPROXY"
Benjiaming (Talk | contribs) (New page: '''FULLNAT: A new packet forwarding model as DR/NAT/TUNNEL;''' The main principle: introduce local ip address (IDC internal ip address, lip), translate cip-vip to lip-rip, lip and rip both...) |
Benjiaming (Talk | contribs) |
||
| Line 1: | Line 1: | ||
| + | == Introduction== | ||
| + | |||
'''FULLNAT: A new packet forwarding model as DR/NAT/TUNNEL;''' | '''FULLNAT: A new packet forwarding model as DR/NAT/TUNNEL;''' | ||
| + | |||
The main principle: introduce local ip address (IDC internal ip address, lip), translate cip-vip to lip-rip, lip and rip both are IDC internal ip address, so LVS-RS can be inter-vlan communication, and RS only need access to internal network. | The main principle: introduce local ip address (IDC internal ip address, lip), translate cip-vip to lip-rip, lip and rip both are IDC internal ip address, so LVS-RS can be inter-vlan communication, and RS only need access to internal network. | ||
'''SYNPROXY: synflood attack defence module''' | '''SYNPROXY: synflood attack defence module''' | ||
| + | |||
The main principle: based on tcp syncookies, refer to http://en.wikipedia.org/wiki/SYN_cookies; | The main principle: based on tcp syncookies, refer to http://en.wikipedia.org/wiki/SYN_cookies; | ||
| − | The first FULLNAT and SYNPROXY modules were added to IPVS in Linux kernel 2.6.9 by WenLi,YanTian,JianChen,YangYi,YaoguangSun,FangHan,Yingliu and JiamingWu. Now, the second FULLNAT and SYNPROXY modules were added in Linux kernel 2.6.32 by JianChen,JiamingWu and WensongZhang; The new FULLNAT+SYNPROXY support was add to keepalived/ipvsadm by JiajunZhang,ZiangChen and ShunminZhu. | + | The first FULLNAT and SYNPROXY modules were added to IPVS in Linux kernel 2.6.9 by WenLi,YanTian,JianChen,YangYi,YaoguangSun,FangHan,Yingliu and JiamingWu. Now, the second FULLNAT and SYNPROXY modules were added in Linux kernel 2.6.32 by JianChen,JiamingWu and WensongZhang; |
| + | |||
| + | The new FULLNAT+SYNPROXY support was add to keepalived/ipvsadm by JiajunZhang,ZiangChen and ShunminZhu. | ||
| + | |||
Please note that FULLNAT and SYNPROXY are experimental and has only had limited testing. | Please note that FULLNAT and SYNPROXY are experimental and has only had limited testing. | ||
| Line 17: | Line 24: | ||
1. LVS Kernel | 1. LVS Kernel | ||
| + | |||
1.1 get kernel rpm from redhat | 1.1 get kernel rpm from redhat | ||
wget ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm | wget ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm | ||
| Line 58: | Line 66: | ||
2. RealServer Kernel (TOA) | 2. RealServer Kernel (TOA) | ||
| + | |||
2.1 get kernel source code, the same as step 1.1 and 1.2; | 2.1 get kernel source code, the same as step 1.1 and 1.2; | ||
Revision as of 02:53, 31 July 2012
Contents
Introduction
FULLNAT: A new packet forwarding model as DR/NAT/TUNNEL;
The main principle: introduce local ip address (IDC internal ip address, lip), translate cip-vip to lip-rip, lip and rip both are IDC internal ip address, so LVS-RS can be inter-vlan communication, and RS only need access to internal network.
SYNPROXY: synflood attack defence module
The main principle: based on tcp syncookies, refer to http://en.wikipedia.org/wiki/SYN_cookies;
The first FULLNAT and SYNPROXY modules were added to IPVS in Linux kernel 2.6.9 by WenLi,YanTian,JianChen,YangYi,YaoguangSun,FangHan,Yingliu and JiamingWu. Now, the second FULLNAT and SYNPROXY modules were added in Linux kernel 2.6.32 by JianChen,JiamingWu and WensongZhang;
The new FULLNAT+SYNPROXY support was add to keepalived/ipvsadm by JiajunZhang,ZiangChen and ShunminZhu.
Please note that FULLNAT and SYNPROXY are experimental and has only had limited testing.
Document
Download
Building
1. LVS Kernel
1.1 get kernel rpm from redhat
wget ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm
1.2 get kernel source code from rpm
vim ~/.rpmmacros;
add:
%_topdir /home/pukong/rpms
%_tmppath /home/pukong/rpms/tmp
%_sourcedir /home/pukong/rpms/SOURCES
%_specdir /home/pukong/rpms/SPECS
%_srcrpmdir /home/pukong/rpms/SRPMS
%_rpmdir /home/pukong/rpms/RPMS
%_builddir /home/pukong/rpms/BUILD
cd /home/pukong;
mkdir rpms;
mkdir rpms/tmp;
mkdir rpms/SOURCES;
mkdir rpms/SPECS;
mkdir rpms/SRPMS;
mkdir rpms/RPMS;
mkdir rpms/BUILD;
rpm -ivh kernel-2.6.32-220.23.1.el6.src.rpm;
cd /home/pukong/rpms/SPECS;
rpmbuild -bp kernel.spec;
then you can find kernel source code in /home/pukong/rpms/BUILD.
1.3 add lvs patch
cd /home/pukong/rpms/BUILD/; cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/; cp lvs-2.6.32-220.23.1.el6.patch ./; patch -p1<lvs-2.6.32-220.23.1.el6.patch;
Or you can directly get source code from linux-2.6.32-220.23.1.el6.x86_64.lvs.src.tar.gz;
1.4 compile and install
make -j16; make modules_install; make install;
2. RealServer Kernel (TOA)
2.1 get kernel source code, the same as step 1.1 and 1.2;
2.2 add toa patch
cd /home/pukong/rpms/BUILD/; cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/; cp toa-2.6.32-220.23.1.el6.patch ./; patch -p1<toa-2.6.32-220.23.1.el6.patch;
Or you can get source code directly from linux-2.6.32-220.23.1.el6.x86_64.rs.src.tar.gz;
2.3 compile and install
make -j16; make modules_install; make install;
3. LVS Tools (keepalived/ipvsadm/quaage)
cd /home/pukong; cp lvs-tools.tar.bz2 ./; tar xzf lvs-tools.tar.bz2; cd tools;
3.1 keepalived install
cd keepalived; ./configure --with-kernel-dir="/lib/modules/`uname -r`/build"; make; make install;
3.2 ipvsadm install
cd ipvsadm; make; make install;
3.3 quaage install
cd quagga; ./configure --disable-ripd --disable-ripngd --disable-bgpd --disable-watchquagga --disable-doc --enable-user=root --enable-vty-group=root --enable-group=root --enable-zebra --localstatedir=/var/run/quagga
make
make; make install;
