Yayin da adiresoshin IPv4 ke raguwa, yawancin ma'aikatan sadarwa suna fuskantar buƙatar samarwa abokan cinikinsu damar hanyar sadarwa ta amfani da fassarar adireshi. A cikin wannan labarin zan gaya muku yadda zaku iya samun aikin Carrier Grade NAT akan sabobin kayayyaki.
A bit of history
Batun gajiyawar sarari adreshin IPv4 ba sabon abu bane. A wani lokaci, jerin jira sun bayyana a cikin RIPE, sannan musayar ya bayyana wanda aka yi ciniki da tubalan adireshi kuma aka kulla yarjejeniya don yin hayar su. Sannu a hankali, ma'aikatan sadarwa sun fara ba da sabis na shiga Intanet ta amfani da adireshi da fassarar tashar jiragen ruwa. Wasu ba su sami isassun adireshi ba don ba da adireshin “farar” ga kowane mai biyan kuɗi, yayin da wasu suka fara tara kuɗi ta hanyar ƙin siyan adireshi a kasuwar sakandare. Masu kera kayan aikin sadarwa sun goyi bayan wannan ra'ayin, saboda wannan aikin yawanci yana buƙatar ƙarin ƙarin kayayyaki ko lasisi. Misali, a layin Juniper na MX Routers (banda sabon MX104 da MX204), ana iya yin NAPT akan katin sabis na MS-MIC daban, Cisco ASR1k yana buƙatar lasisin CGN, Cisco ASR9k yana buƙatar keɓantaccen tsarin A9K-ISM-100. da lasisin A9K-CGN -LIC gareshi. Gabaɗaya, jin daɗin yana kashe kuɗi da yawa.
IPTables
Ayyukan yin NAT baya buƙatar albarkatun kwamfuta na musamman; ana iya warware shi ta hanyar na'urori masu mahimmanci na gaba ɗaya, waɗanda aka shigar, alal misali, a cikin kowane na'ura mai ba da hanya tsakanin hanyoyin sadarwa na gida. A kan sikelin ma'aikacin sadarwa, ana iya magance wannan matsalar ta amfani da sabobin kayayyaki masu aiki da FreeBSD (ipfw/pf) ko GNU/Linux (iptables). Ba za mu yi la'akari da FreeBSD ba, saboda ... Na daina amfani da wannan OS da daɗewa, don haka za mu tsaya ga GNU/Linux.
Kunna fassarar adireshi ba shi da wahala ko kaɗan. Da farko kuna buƙatar yin rajistar doka a cikin iptables a cikin nat tebur:
iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -j SNAT --to <pool_start_addr>-<pool_end_addr> --persistent
Tsarin aiki zai ɗora nauyin nf_conntrack, wanda zai sa ido kan duk haɗin da ke aiki kuma ya yi canjin da suka dace. Akwai dabaru da yawa a nan. Da fari dai, tun da yake muna magana ne game da NAT a kan sikelin na ma'aikacin sadarwa, shi wajibi ne don daidaita lokaciouts, saboda tare da tsoho dabi'u girman tebur fassarar zai girma da sauri zuwa bala'i dabi'u. A ƙasa akwai misalin saitunan da na yi amfani da su akan sabobin nawa:
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 8192 65535
net.netfilter.nf_conntrack_generic_timeout = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 45
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 60
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15
net.netfilter.nf_conntrack_checksum=0
Na biyu kuma, tun da ba a tsara madaidaicin girman teburin fassarar don yin aiki a ƙarƙashin yanayin ma'aikacin sadarwa ba, yana buƙatar ƙarawa:
net.netfilter.nf_conntrack_max = 3145728
Hakanan wajibi ne a ƙara adadin buckets don tebur ɗin hash da ke adana duk watsa shirye-shirye (wannan zaɓi ne a cikin nf_conntrack module):
options nf_conntrack hashsize=1572864
Bayan waɗannan gyare-gyare masu sauƙi, ana samun ƙirar aiki gaba ɗaya wanda zai iya fassara babban adadin adiresoshin abokin ciniki a cikin tafkin na waje. Koyaya, aikin wannan maganin yana barin abubuwa da yawa da ake so. A cikin ƙoƙarina na farko na amfani da GNU/Linux don NAT (kusan 2013), na sami damar yin aikin kusan 7Gbit/s a 0.8Mpps kowane sabar (Xeon E5-1650v2). Tun daga wannan lokacin, an sami ingantawa daban-daban a cikin tari na cibiyar sadarwa na GNU/Linux, aikin sabar ɗaya akan kayan masarufi iri ɗaya ya ƙaru zuwa kusan 18-19 Gbit/s a 1.8-1.9 Mpps (waɗannan su ne matsakaicin ƙima) , amma buƙatar yawan zirga-zirgar ababen hawa, wanda uwar garken ɗaya ke sarrafawa ya ƙaru da sauri. A sakamakon haka, an ƙirƙiri tsare-tsare don daidaita nauyin da ke kan sabobin daban-daban, amma duk wannan yana ƙara rikitarwa na kafawa, kiyayewa da kuma kula da ingancin ayyukan da aka bayar.
Abincin abinci
A zamanin yau, wani salon salo a cikin software “jakuna masu canzawa” shine amfani da DPDK da XDP. An rubuta labarai da yawa akan wannan batu, an yi jawabai daban-daban, kuma samfuran kasuwanci suna bayyana (misali, SKAT daga VasExperts). Amma idan aka yi la'akari da ƙayyadaddun albarkatun shirye-shirye na ma'aikatan sadarwa, yana da matukar matsala don ƙirƙirar kowane "samfurin" dangane da waɗannan tsarin da kanku. Zai fi wuya a yi amfani da irin wannan maganin a nan gaba; musamman, dole ne a samar da kayan aikin bincike. Misali, daidaitaccen tcpdump tare da DPDK ba zai yi aiki kamar haka ba, kuma ba zai “gani” fakitin da aka aika zuwa wayoyi ta amfani da XDP ba. A cikin duk maganar sabbin fasahohi don fitar da fakitin isar da saƙo zuwa sararin samaniya, ba a lura da su ba и Pablo Neira Ayuso, mai kula da iptables, game da haɓaka kwararar kwararar kaya a cikin nftables. Bari mu dubi wannan dabarar.
Babban ra'ayin shi ne cewa idan na'ura mai ba da hanya tsakanin hanyoyin sadarwa ya wuce fakiti daga zama daya a cikin bangarorin guda biyu na kwarara (TCP zaman ya shiga cikin ESTABLISHED jihar), to babu buƙatar wuce fakiti na gaba na wannan zaman ta duk dokokin Tacewar zaɓi, saboda. duk waɗannan cak ɗin har yanzu za su ƙare tare da ƙara jujjuya fakitin zuwa hanyar tuƙi. Kuma a zahiri ba ma buƙatar zaɓar hanya - mun riga mun san wace keɓancewa da kuma wacce muke buƙatar aika fakiti a cikin wannan zaman. Abin da ya rage shi ne adana wannan bayanin kuma a yi amfani da shi don sarrafa su a farkon matakin sarrafa fakiti. Lokacin yin NAT, ya zama dole don ƙarin adana bayanai game da canje-canje a adireshi da tashar jiragen ruwa waɗanda nf_conntrack module suka fassara. Haka ne, ba shakka, a cikin wannan harka daban-daban 'yan sanda da sauran bayanai da kididdiga dokoki a iptables daina aiki, amma a cikin tsarin na aiki na dabam tsaye NAT ko, misali, kan iyaka, wannan ba shi da mahimmanci, saboda ayyuka. ana rarraba a cikin na'urori.
Kanfigareshan
Don amfani da wannan aikin muna buƙatar:
- Yi amfani da sabon kwaya. Duk da cewa aikin kanta ya bayyana a cikin kwaya 4.16, na dogon lokaci ya kasance "danye" kuma yana haifar da firgita a kai a kai. Komai ya daidaita kusan Disamba 2019, lokacin da aka saki LTS kernels 4.19.90 da 5.4.5.
- Sake rubuta dokokin iptables a cikin nftables ta amfani da sigar kwanan nan ta nftables. Yana aiki daidai a cikin sigar 0.9.0
Idan duk abin da ke cikin ka'ida ya bayyana tare da batu na farko, babban abu shine kada ku manta da haɗawa da module a cikin daidaitawa yayin haɗuwa (CONFIG_NFT_FLOW_OFFLOAD = m), to, batu na biyu yana buƙatar bayani. An kwatanta dokokin nftables gaba ɗaya daban fiye da a cikin iptables. ya bayyana kusan dukkanin maki, akwai kuma na musamman dokoki daga iptables zuwa nftables. Saboda haka, zan ba da misali ne kawai na kafa NAT da kuma gudana offload. Karamin labari misali: , - Waɗannan su ne hanyoyin haɗin yanar gizon da zirga-zirga ke wucewa, a zahiri za a iya samun fiye da biyu daga cikinsu. , - adireshin farawa da ƙarewa na kewayon adiresoshin "farar fata".
Tsarin NAT yana da sauqi qwarai:
#! /usr/sbin/nft -f
table nat {
chain postrouting {
type nat hook postrouting priority 100;
oif <o_if> snat to <pool_addr_start>-<pool_addr_end> persistent
}
}
Tare da sauke saukewa yana da ɗan rikitarwa, amma ana iya fahimta sosai:
#! /usr/sbin/nft -f
table inet filter {
flowtable fastnat {
hook ingress priority 0
devices = { <i_if>, <o_if> }
}
chain forward {
type filter hook forward priority 0; policy accept;
ip protocol { tcp , udp } flow offload @fastnat;
}
}
Wannan, a gaskiya, shine gaba ɗaya saitin. Yanzu duk zirga-zirgar TCP/UDP za su fada cikin teburin fastnat kuma za a sarrafa su da sauri.
Результаты
Don bayyana yadda "yafi sauri" wannan shine, zan haɗa hoton ɗaukar hoto akan sabar guda biyu na gaske, tare da kayan aiki iri ɗaya (Xeon E5-1650v2), an daidaita shi daidai, ta amfani da kwaya Linux iri ɗaya, amma yin NAT a cikin iptables. (NAT4) kuma a cikin nftables (NAT5).
Babu jadawali na fakiti a sakan daya a cikin hoton hoton, amma a cikin bayanin martabar waɗannan sabobin matsakaicin girman fakitin yana kusa da bytes 800, don haka ƙimar sun kai 1.5Mpps. Kamar yadda kake gani, uwar garken tare da nftables yana da babban ajiyar aiki. A halin yanzu, wannan uwar garken yana aiwatar da har zuwa 30Gbit/s a 3Mpps kuma a fili yana da ikon saduwa da iyakokin hanyar sadarwa ta zahiri na 40Gbps, yayin da yana da albarkatun CPU kyauta.
Ina fatan wannan abu zai zama da amfani ga injiniyoyin cibiyar sadarwa da ke ƙoƙarin inganta aikin sabobin su.
source: www.habr.com