I ka pau ʻana o nā helu IPv4, nui nā mea lawelawe kelepona e kū nei i ka pono e hāʻawi i kā lākou mea kūʻai aku i ke komo pūnaewele me ka hoʻohana ʻana i ka unuhi ʻōlelo. Ma kēia ʻatikala e haʻi wau iā ʻoe pehea e hiki ai iā ʻoe ke kiʻi i ka hana Carrier Grade NAT ma nā kikowaena waiwai.
He wahi moʻolelo
ʻAʻole hou ke kumuhana o IPv4 address space exhaustion. I kekahi manawa, ʻike ʻia nā papa inoa kali ma RIPE, a laila puka mai nā hoʻololi i kūʻai ʻia ai nā poloka o nā ʻōlelo a ua hoʻoholo ʻia nā ʻaelike e hoʻolimalima iā lākou. Ua hoʻomaka nā mea lawelawe kelepona e hāʻawi i nā lawelawe ʻike pūnaewele me ka hoʻohana ʻana i ka helu wahi a me ka unuhi ʻana i ke awa. ʻAʻole hiki i kekahi ke loaʻa i nā helu helu e hoʻopuka i kahi helu "keʻokeʻo" i kēlā me kēia mea kākau inoa, aʻo kekahi i hoʻomaka e mālama i ke kālā ma ka hōʻole ʻana e kūʻai i nā helu ma ka mākeke lua. Ua kākoʻo nā mea hana o nā lako pūnaewele i kēia manaʻo, no ka mea pono kēia hana i nā modula hoʻonui hou a i ʻole nā laikini. No ka laʻana, ma ka laina o Juniper o MX routers (koe wale no ka MX104 a me MX204 hou loa), hiki iā ʻoe ke hana i ka NAPT ma kahi kāleka lawelawe MS-MIC ʻokoʻa, koi ʻo Cisco ASR1k i kahi laikini CGN, pono ʻo Cisco ASR9k i kahi module A9K-ISM-100 kaʻawale. a he laikini A9K-CGN -LIC iā ia. Ma keʻano laulā, nui ke kālā i ka leʻaleʻa.
IPTables
ʻAʻole pono ka hana o ka hana NAT i nā kumuwaiwai computing kūikawā; hiki ke hoʻoholo ʻia e nā kaʻina hana maʻamau, i hoʻokomo ʻia, no ka laʻana, i loko o kekahi alalai home. Ma ka nui o ka mea lawelawe kelepona, hiki ke hoʻoponopono ʻia kēia pilikia me ka hoʻohana ʻana i nā kikowaena waiwai e holo ana i FreeBSD (ipfw/pf) a i ʻole GNU/Linux (iptables). ʻAʻole mākou e noʻonoʻo iā FreeBSD, no ka mea ... Ua ho'ōki au i ka hoʻohana ʻana i kēia OS i ka manawa lōʻihi, no laila e hoʻopili mākou iā GNU/Linux.
ʻAʻole paʻakikī loa ka ʻae ʻana i ka unuhi ʻōlelo. Pono mua ʻoe e hoʻopaʻa inoa i kahi lula ma iptables ma ka papa nat:
iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -j SNAT --to <pool_start_addr>-<pool_end_addr> --persistent
Na ka ʻōnaehana hana e hoʻouka i ka module nf_conntrack, nāna e nānā i nā pilina ikaika a pau a hana i nā hoʻololi pono. Aia kekahi mau subtleties ma aneʻi. ʻO ka mea mua, no ka mea ke kamaʻilio nei mākou e pili ana i ka NAT ma ke ʻano o kahi mea kelepona kelepona, pono ia e hoʻoponopono i nā manawa manawa, no ka mea me nā koina paʻamau e ulu koke ka nui o ka papa unuhi i nā waiwai pōʻino. Aia ma lalo kahi laʻana o nā hoʻonohonoho aʻu i hoʻohana ai ma kaʻu mau kikowaena:
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 8192 65535
net.netfilter.nf_conntrack_generic_timeout = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 45
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 60
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15
net.netfilter.nf_conntrack_checksum=0
A ʻo ka lua, no ka mea, ʻaʻole i hoʻolālā ʻia ka nui paʻamau o ka papa unuhi e hana ma lalo o nā kūlana o kahi mea lawelawe kelepona, pono e hoʻonui ʻia:
net.netfilter.nf_conntrack_max = 3145728
Pono nō hoʻi e hoʻonui i ka helu o nā bākeke no ka papaʻaina hash e mālama ana i nā hoʻolaha āpau (he koho kēia ma ka module nf_conntrack):
options nf_conntrack hashsize=1572864
Ma hope o kēia mau manipulations maʻalahi, loaʻa kahi hoʻolālā hana holoʻokoʻa e hiki ke unuhi i kahi helu nui o nā mea kūʻai aku i loko o kahi wai o waho. Eia nō naʻe, ʻo ka hana o kēia hoʻonā e waiho nui i ka makemake. I kaʻu mau hoʻāʻo mua i ka hoʻohana ʻana iā GNU/Linux no NAT (circa 2013), ua hiki iaʻu ke loaʻa ka hana ma kahi o 7Gbit/s ma 0.8Mpps no ke kikowaena (Xeon E5-1650v2). Mai ia manawa, ua hana ʻia nā manaʻo like ʻole i loko o ka GNU/Linux kernel network stack, ua hoʻonui ʻia ka hana o hoʻokahi kikowaena ma ka hāmeʻa like a kokoke i 18-19 Gbit/s ma 1.8-1.9 Mpps (ʻo ia ka nui o nā waiwai) , akā, ʻoi aku ka wikiwiki o ke koi no ka nui o nā kaʻa, i hana ʻia e hoʻokahi kikowaena. ʻO ka hopena, ua hoʻolālāʻia nā papahana e kaulike i ka ukana ma nā kikowaena likeʻole, akā ua hoʻonui kēia mau mea i ka paʻakikī o ka hoʻonohonohoʻana, mālama a mālama i ka maikaʻi o nā lawelawe i hāʻawiʻia.
Nā NFTables
I kēia mau lā, ʻo ka hoʻohana ʻana i ka DPDK a me XDP ke ʻano o ka polokalamu "nā ʻeke hoʻololi". Ua kākau ʻia ka nui o nā ʻatikala e pili ana i kēia kumuhana, nui nā ʻōlelo like ʻole i hana ʻia, a ʻike ʻia nā huahana pāʻoihana (e like me SKAT mai VasExperts). Akā i ka hāʻawi ʻana i nā kumuwaiwai liʻiliʻi o nā mea lawelawe kelepona, pilikia loa ka hana ʻana i kekahi "huahana" e pili ana i kēia mau frameworks iā ʻoe iho. E ʻoi aku ka paʻakikī o ka hana ʻana i kēlā ʻano hopena i ka wā e hiki mai ana; ʻo ia hoʻi, pono e kūkulu ʻia nā mea hana diagnostic. No ka laʻana, ʻaʻole e hana like ka tcpdump maʻamau me DPDK, a ʻaʻole ia e "ʻike" i nā ʻeke i hoʻihoʻi ʻia i nā uea me ka hoʻohana ʻana iā XDP. Ma waena o nā kamaʻilio ʻana e pili ana i nā ʻenehana hou no ka hoʻopuka ʻana i ka packet e hoʻouna ana i kahi mea hoʻohana, ua ʻike ʻole ʻia lākou. и ʻO Pablo Neira Ayuso, ka mea mālama iptables, e pili ana i ka hoʻomohala ʻana o ka hoʻoiho ʻana i nā nftables. E nānā pono kākou i kēia mīkini.
ʻO ka manaʻo nui inā ua hala ka mea alalai i nā packets mai hoʻokahi kau ma nā ʻaoʻao ʻelua o ke kahe (ua hele ka hui TCP i ka mokuʻāina ESTABLISHED), a laila ʻaʻohe pono e hoʻohele i nā ʻeke ma hope o kēia kau ma o nā lula ahi āpau, no ka mea E hoʻopau ʻia kēia mau loiloi a pau me ka hoʻoili ʻia ʻana o ka ʻeke i ke ala ala. A ʻaʻole pono mākou e koho i kahi ala - ua ʻike mua mākou i ke kikowaena a me ka mea hoʻokipa e pono ai mākou e hoʻouna i nā ʻeke i loko o kēia kau. ʻO ke koena wale nō ka mālama ʻana i kēia ʻike a hoʻohana iā ia no ka hoʻokele ʻana i ka wā mua o ka hoʻoili ʻana i ka ʻeke. I ka hana ʻana i ka NAT, pono e mālama hou i ka ʻike e pili ana i nā loli i nā helu a me nā awa i unuhi ʻia e ka module nf_conntrack. ʻAe, ʻoiaʻiʻo, i kēia hihia nā mākaʻi like ʻole a me nā ʻike ʻē aʻe a me nā lula helu i nā iptables e hoʻōki i ka hana, akā i loko o ke ʻano o ka hana o kahi NAT kū kaʻawale a i ʻole, no ka laʻana, kahi palena, ʻaʻole nui kēia, no ka mea, ʻo nā lawelawe. hoʻolaha ʻia ma nā ʻaoʻao.
Kauoa
No ka hoʻohana ʻana i kēia hana pono mākou:
- E hoʻohana i kahi kernel hou. ʻOiai ke ʻike ʻia ka hana ponoʻī i ka kernel 4.16, no ka manawa lōʻihi he "raw" loa ia a hoʻoulu pinepine i ka kernel panic. Ua paʻa nā mea āpau a puni ʻo Dekemaba 2019, i ka wā i hoʻokuʻu ʻia ai nā kernels LTS 4.19.90 a me 5.4.5.
- E kākau hou i nā lula iptables ma ka format nftables me ka hoʻohana ʻana i kahi mana hou o nftables. Hana pololei ma ka mana 0.9.0
Inā maopopo nā mea āpau me ka helu mua, ʻo ka mea nui ʻaʻole e poina e hoʻokomo i ka module i ka hoʻonohonoho ʻana i ka wā o ka hui ʻana (CONFIG_NFT_FLOW_OFFLOAD=m), a laila pono ka wehewehe ʻelua. Ua wehewehe ʻokoʻa nā lula nftables ma mua o nā iptables. hōʻike kokoke i nā mea āpau, aia kekahi mea kūikawā nā lula mai nā iptables a i nā nftables. No laila, e hāʻawi wale wau i kahi laʻana o ka hoʻonohonoho ʻana i ka NAT a me ke kahe offload. He laʻana moʻolelo liʻiliʻi: , - ʻo ia nā kikowaena pūnaewele e hele ai nā kaʻa; ʻoiaʻiʻo hiki ke ʻoi aku ma mua o ʻelua o lākou. , — ka helu hoʻomaka a me ka hoʻopau ʻana o ka laulā o nā helu "keʻokeʻo".
He maʻalahi loa ka hoʻonohonoho NAT:
#! /usr/sbin/nft -f
table nat {
chain postrouting {
type nat hook postrouting priority 100;
oif <o_if> snat to <pool_addr_start>-<pool_addr_end> persistent
}
}
Me ka hoʻokuʻu ʻana i ke kahe, ʻoi aku ka paʻakikī, akā maopopo loa:
#! /usr/sbin/nft -f
table inet filter {
flowtable fastnat {
hook ingress priority 0
devices = { <i_if>, <o_if> }
}
chain forward {
type filter hook forward priority 0; policy accept;
ip protocol { tcp , udp } flow offload @fastnat;
}
}
ʻO ia, ʻo ka hoʻonohonoho holoʻokoʻa. I kēia manawa, e hāʻule nā mākaʻikaʻi TCP/UDP a pau i ka papaʻaina fastnat a e hana wikiwiki ʻia.
Nā hualoaʻa
No ka hoʻomaopopo ʻana i ka "ʻoi aku ka wikiwiki" o kēia, e hoʻopili wau i kahi kiʻi o ka ukana ma nā kikowaena maoli ʻelua, me ka lako like (Xeon E5-1650v2), i hoʻonohonoho like ʻia, me ka hoʻohana ʻana i ka kernel Linux like, akā e hana ana i ka NAT i nā iptables. (NAT4) a ma nā nftables (NAT5).
ʻAʻohe kiʻi paʻi i kēlā me kēia kekona i ke kiʻi kiʻi, akā ma ka ʻaoʻao hoʻoili o kēia mau kikowaena ʻo ka nui o ka packet awelika ma kahi o 800 bytes, no laila hiki i nā waiwai a hiki i 1.5Mpps. E like me kāu e ʻike ai, loaʻa i ka server me nftables kahi mālama hana nui. I kēia manawa, hana kēia kikowaena a hiki i 30Gbit / s ma 3Mpps a maopopo hiki ke hoʻokō i ka palena o ka pūnaewele kino o 40Gbps, ʻoiai e loaʻa ana nā kumuwaiwai CPU manuahi.
Manaʻo wau e pono kēia mea i nā ʻenekini pūnaewele e ho'āʻo nei e hoʻomaikaʻi i ka hana o kā lākou mau kikowaena.
Source: www.habr.com