Pamene ma adilesi a IPv4 akutha, ambiri ogwiritsira ntchito telecom akukumana ndi kufunikira kopatsa makasitomala awo mwayi wogwiritsa ntchito netiweki pogwiritsa ntchito maadiresi. M'nkhaniyi ndikuuzani momwe mungapezere ntchito ya Carrier Grade NAT pamaseva azinthu.
Zakale za mbiriyakale
Mutu wakutha kwa malo adilesi ya IPv4 sulinso wachilendo. Panthawi ina, mindandanda yodikirira idawonekera mu RIPE, kenako kusinthana kudayamba pomwe ma adilesi adagulitsidwa ndipo mapangano adamalizidwa kuti awabwereke. Pang'ono ndi pang'ono, ogwira ntchito pa telecom anayamba kupereka chithandizo cha intaneti pogwiritsa ntchito maadiresi ndi kumasulira padoko. Ena sanathe kupeza maadiresi okwanira kuti apereke adiresi "yoyera" kwa aliyense wolembetsa, pamene ena anayamba kusunga ndalama mwa kukana kugula maadiresi pamsika wachiwiri. Opanga zida zamagetsi adathandizira lingaliro ili, chifukwa magwiridwe antchito nthawi zambiri amafuna ma module owonjezera kapena malayisensi. Mwachitsanzo, mumzere wa Juniper wa MX routers (kupatulapo MX104 ndi MX204 aposachedwa), mutha kuchita NAPT pakhadi lautumiki la MS-MIC, Cisco ASR1k imafuna chilolezo cha CGN, Cisco ASR9k imafuna gawo la A9K-ISM-100 lapadera. ndi chilolezo cha A9K-CGN -LIC kwa iye. Kawirikawiri, zosangalatsa zimawononga ndalama zambiri.
IPTables
Ntchito yochita NAT sifunikira zida zapadera zamakompyuta; itha kuthetsedwa ndi mapurosesa acholinga chonse, omwe amayikidwa, mwachitsanzo, mu rauta iliyonse yakunyumba. Pamlingo wa wogwiritsa ntchito telecom, vutoli litha kuthetsedwa pogwiritsa ntchito ma seva amtundu omwe ali ndi FreeBSD (ipfw/pf) kapena GNU/Linux (iptables). Sitiganizira za FreeBSD, chifukwa ... Ndinasiya kugwiritsa ntchito OS iyi kalekale, kotero timamatira ku GNU/Linux.
Kuyatsa kumasulira kwamaadiresi sikovuta nkomwe. Choyamba muyenera kulembetsa lamulo mu iptables patebulo la nat:
iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -j SNAT --to <pool_start_addr>-<pool_end_addr> --persistent
Makina ogwiritsira ntchito adzatsegula nf_contrack module, yomwe idzayang'anire maulumikizidwe onse ogwira ntchito ndikusintha zofunikira. Pali zingapo zobisika apa. Choyamba, popeza tikukamba za NAT pamlingo wa wogwiritsa ntchito telecom, ndikofunikira kusintha nthawi, chifukwa ndi zikhalidwe zosasinthika kukula kwa tebulo lomasulira kumakula mwachangu kukhala zowopsa. Pansipa pali chitsanzo cha makonda omwe ndidagwiritsa ntchito pa maseva anga:
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 8192 65535
net.netfilter.nf_conntrack_generic_timeout = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 45
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 60
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15
net.netfilter.nf_conntrack_checksum=0
Ndipo chachiwiri, popeza kukula kosasinthika kwa tebulo lomasulira silinapangidwe kuti lizigwira ntchito molingana ndi wogwiritsa ntchito telecom, likuyenera kukulitsidwa:
net.netfilter.nf_conntrack_max = 3145728
Ndikofunikiranso kuonjezera kuchuluka kwa zidebe za tebulo la hashi losunga zowulutsa zonse (iyi ndi njira mu nf_contrack module):
options nf_conntrack hashsize=1572864
Pambuyo pakusintha kosavuta uku, mapangidwe ogwirira ntchito kwathunthu amapezedwa omwe amatha kumasulira maadiresi ambiri a kasitomala kukhala dziwe lakunja. Komabe, ntchito ya yankho ili imasiya zambiri zofunika. Pakuyesa kwanga koyamba kugwiritsa ntchito GNU/Linux ya NAT (cha 2013), ndidatha kupeza magwiridwe antchito a 7Gbit/s pa 0.8Mpps pa seva (Xeon E5-1650v2). Kuyambira nthawi imeneyo, kukhathamiritsa kosiyanasiyana kwapangidwa mu GNU/Linux kernel network stack, magwiridwe antchito a seva imodzi pazida zomwezo zakwera mpaka pafupifupi 18-19 Gbit/s pa 1.8-1.9 Mpps (awa anali okwera kwambiri) , koma kufunikira kwa kuchuluka kwa magalimoto, komwe kumakonzedwa ndi seva imodzi kunakula mwachangu. Chotsatira chake, ndondomeko zinapangidwa kuti zigwirizane ndi katundu pa ma seva osiyanasiyana, koma zonsezi zinawonjezera zovuta kukhazikitsa, kusunga ndi kusunga ubwino wa mautumiki operekedwa.
Masewera a NFT
Masiku ano, kachitidwe kamakono ka "matumba osinthira" ndikugwiritsa ntchito DPDK ndi XDP. Nkhani zambiri zalembedwa pamutuwu, zolankhula zambiri zosiyanasiyana zapangidwa, ndipo malonda akuwonekera (mwachitsanzo, SKAT kuchokera ku VasExperts). Koma poganizira zochepa zamapulogalamu a ogwiritsa ntchito pa telecom, ndizovuta kupanga "chinthu" chilichonse kutengera izi pawekha. Zidzakhala zovuta kwambiri kugwiritsa ntchito yankho lotere mtsogolomu; makamaka zida zowunikira ziyenera kupangidwa. Mwachitsanzo, tcpdump yokhazikika yokhala ndi DPDK sigwira ntchito monga choncho, ndipo "siyiwona" mapaketi omwe atumizidwa ku mawaya pogwiritsa ntchito XDP. Pakati pa zokamba zonse zaukadaulo watsopano woperekera paketi kupita kumalo ogwiritsira ntchito, sanadziwike. ΠΈ Pablo Neira Ayuso, woyang'anira ma iptables, zakukula kwa kutsitsa mu nftables. Tiyeni tione mwatsatanetsatane kachipangizoka.
Lingaliro lalikulu ndilakuti ngati rauta idadutsa mapaketi kuchokera ku gawo limodzi mbali zonse ziwiri zakuyenda (gawo la TCP lidalowa mu ESTABLISHED state), ndiye kuti palibe chifukwa chodutsira mapaketi otsatirawa gawoli kudzera mu malamulo onse a firewall, chifukwa. macheke onsewa adzathabe ndi paketiyo itasamutsidwa kupita kumayendedwe. Ndipo sitifunika kusankha njira - tikudziwa kale kuti ndi ndani komanso kwa yemwe tikuyenera kutumiza mapaketi mkati mwa gawoli. Chotsalira ndikusunga chidziwitsochi ndikuchigwiritsa ntchito poyendetsa pakangoyambira paketi. Mukamachita NAT, m'pofunikanso kusunga zambiri zokhudza kusintha kwa maadiresi ndi madoko omasuliridwa ndi nf_contrack module. Inde, ndithudi, pankhaniyi apolisi osiyanasiyana ndi zidziwitso zina ndi malamulo owerengera mu iptables amasiya kugwira ntchito, koma mkati mwa dongosolo la ntchito ya NAT yosiyana kapena, mwachitsanzo, malire, izi sizofunika kwambiri, chifukwa mautumiki zimagawidwa pazida zonse.
Kukhazikika
Kuti tigwiritse ntchito tifunika:
- Gwiritsani ntchito kernel yatsopano. Ngakhale kuti magwiridwe antchitowo adawonekera mu kernel 4.16, kwa nthawi yayitali anali "yaiwisi" kwambiri ndipo nthawi zonse amachititsa mantha a kernel. Chilichonse chidakhazikika mu Disembala 2019, pomwe ma LTS kernels 4.19.90 ndi 5.4.5 adatulutsidwa.
- Lembaninso malamulo a iptables mumtundu wa nftables pogwiritsa ntchito mtundu waposachedwa wa nftables. Imagwira ntchito chimodzimodzi mu mtundu 0.9.0
Ngati zonse zili zomveka ndi mfundo yoyamba, chinthu chachikulu musaiwale kuphatikiza gawo mu kasinthidwe pa msonkhano (CONFIG_NFT_FLOW_OFFLOAD = m), ndiye mfundo yachiwiri imafuna kufotokozera. malamulo a nftables amafotokozedwa mosiyana kwambiri ndi ma iptables. amawulula pafupifupi mfundo zonse, palinso apadera malamulo kuchokera ku iptables kupita ku nftables. Chifukwa chake, ndingopereka chitsanzo chokhazikitsa NAT ndikutsitsa. Nthano yaing'ono mwachitsanzo: , - awa ndi ma network omwe amadutsamo magalimoto; zenizeni pakhoza kukhala zopitilira ziwiri. , - adilesi yoyambira ndi yomaliza ya ma adilesi "oyera".
Kusintha kwa NAT ndikosavuta:
#! /usr/sbin/nft -f
table nat {
chain postrouting {
type nat hook postrouting priority 100;
oif <o_if> snat to <pool_addr_start>-<pool_addr_end> persistent
}
}
Ndi kutuluka kwa kutuluka kumakhala kovuta kwambiri, koma ndikomveka:
#! /usr/sbin/nft -f
table inet filter {
flowtable fastnat {
hook ingress priority 0
devices = { <i_if>, <o_if> }
}
chain forward {
type filter hook forward priority 0; policy accept;
ip protocol { tcp , udp } flow offload @fastnat;
}
}
Izi, kwenikweni, ndiye dongosolo lonse. Tsopano magalimoto onse a TCP/UDP adzagwera patebulo la fastnat ndikukonzedwa mwachangu kwambiri.
Zotsatira
Kuti ndifotokoze momveka bwino momwe izi zilili "mwachangu", ndikulumikiza chithunzi cha katundu pa ma seva awiri enieni, ndi hardware yomweyo (Xeon E5-1650v2), yokonzedwa mofanana, pogwiritsa ntchito Linux kernel, koma ndikuchita NAT mu ma iptables. (NAT4) ndi mu nftables (NAT5).
Palibe graph yamapaketi pamphindikati pazithunzi, koma muzolemba za ma seva awa kukula kwa paketi kuli pafupifupi ma 800 byte, kotero kuti mfundo zake zimafika mpaka 1.5Mpps. Monga mukuonera, seva yokhala ndi nftables ili ndi malo osungiramo ntchito zazikulu. Pakadali pano, seva iyi imagwira ntchito mpaka 30Gbit/s pa 3Mpps ndipo ikutha kukwaniritsa malire amtundu wa 40Gbps, pokhala ndi zida zaulere za CPU.
Ndikukhulupirira kuti nkhaniyi ithandiza kwa akatswiri opanga ma network omwe akuyesera kukonza magwiridwe antchito a ma seva awo.
Source: www.habr.com