IPVS FULLNAT and SYNPROXY

IPVS FULLNAT and SYNPROXY

Introduction

FullNAT: A new packet forwarding method for IPVS, other than DR/NAT/TUNNEL

The main principle is as follows: the module introduces local ip address (IDC internal ip address, lip), IPVS translates cip-vip to/from lip-rip, in which lip and rip both are IDC internal ip address, so that LVS load balancer and real servers can be in different vlans, and real servers only need to access internal network. See Virtual Server via Full NAT for more information.

SYNPROXY: Defence module against synflooding attack

The main principle: based on tcp syncookies, please refer to http://en.wikipedia.org/wiki/SYN_cookies;

This FullNAT and SYNPROXY code for IPVS in Linux kernel 2.6.32 was written by Jiaming Wu at taobao.com, Jian Chen at 360.cn, and Shunmin Zhu at taobao.com, with some advising from Wensong Zhang at taobao.com. The code was affected by ideas of the source NAT and SYNPROXY version that was hard coded to IPVS in Linux kernel 2.6.9 by Wen Li, Yan Tian, Jian Chen, Yang Yi, Yaoguang Sun, Fang Han, Ying liu and Jiaming Wu at baidu.com in 2009.

The FullNAT and SYNPROXY support were added to keepalived/ipvsadm by Jiajun Chen and Ziang Chen at taobao.com.

Please note that FullNAT and SYNPROXY only had limited testing.

Document

Media:LVS操作手册.zip

Media:lvs-fullnat-synproxy-doc.zip

Download

Media:lvs-fullnat-synproxy.tar.gz

Media:linux-2.6.32-220.23.1.el6.x86_64.lvs.src.tar.gz

Media:linux-2.6.32-220.23.1.el6.x86_64.rs.src.tar.gz

Building

1. LVS Kernel

1.1 get kernel rpm from redhat

 wget ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/kernel-2.6.32-220.23.1.el6.src.rpm

1.2 get kernel source code from rpm

 vim ~/.rpmmacros;
   add:
     %_topdir /home/pukong/rpms
     %_tmppath /home/pukong/rpms/tmp
     %_sourcedir /home/pukong/rpms/SOURCES
     %_specdir /home/pukong/rpms/SPECS
     %_srcrpmdir /home/pukong/rpms/SRPMS
     %_rpmdir /home/pukong/rpms/RPMS
     %_builddir /home/pukong/rpms/BUILD
 cd /home/pukong;
   mkdir rpms;
   mkdir rpms/tmp;
   mkdir rpms/SOURCES;
   mkdir rpms/SPECS;
   mkdir rpms/SRPMS;
   mkdir rpms/RPMS;
   mkdir rpms/BUILD;
 rpm -ivh kernel-2.6.32-220.23.1.el6.src.rpm;
 cd /home/pukong/rpms/SPECS;
 rpmbuild -bp kernel.spec;

 then you can find kernel source code in /home/pukong/rpms/BUILD.

1.3 add lvs patch

 cd /home/pukong/rpms/BUILD/;
 cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/;
 cp lvs-2.6.32-220.23.1.el6.patch ./;
 patch -p1<lvs-2.6.32-220.23.1.el6.patch; // patch is in lvs-fullnat-synproxy.tar.gz 

 Or you can directly get source code from linux-2.6.32-220.23.1.el6.x86_64.lvs.src.tar.gz;

1.4 compile and install

 make -j16;
 make modules_install;
 make install;

2. RealServer Kernel (TOA)

2.1 get kernel source code, the same as step 1.1 and 1.2;

2.2 add toa patch

 cd /home/pukong/rpms/BUILD/;
 cd kernel-2.6.32-220.23.1.el6/linux-2.6.32-220.23.1.el6.x86_64/;
 cp toa-2.6.32-220.23.1.el6.patch ./;
 patch -p1<toa-2.6.32-220.23.1.el6.patch; // patch is in lvs-fullnat-synproxy.tar.gz 

 Or you can get source code directly from linux-2.6.32-220.23.1.el6.x86_64.rs.src.tar.gz;

2.3 compile and install

 make -j16;
 make modules_install;
 make install;

3. LVS Tools (keepalived/ipvsadm/quaage)

 cd /home/pukong;
 cp lvs-tools.tar.gz ./; // lvs-tools.tar.gz is in lvs-fullnat-synproxy.tar.gz 
 tar xzf lvs-tools.tar.gz;

3.1 keepalived install

 cd /home/pukong/tools/keepalived;
 ./configure --with-kernel-dir="/lib/modules/`uname -r`/build";
 make;
 make install;

3.2 ipvsadm install

 cd /home/pukong/tools/ipvsadm;
 make;
 make install;

3.3 quaage install

 cd /home/pukong/tools/quagga;
 ./configure --disable-ripd --disable-ripngd --disable-bgpd --disable-watchquagga --disable-doc  --enable-user=root --enable-vty-group=root --enable-group=root --enable-zebra --localstatedir=/var/run/quagga

make

 make;
 make install;