Sezvo IPv4 kero dziri kupera, vazhinji vanoita zvenharembozha vakatarisana nekudiwa kwekupa vatengi vavo mukana wetiweki vachishandisa kero kududzira. Muchikamu chino ini ndichakuudza kuti iwe unogona sei kuwana Carrier Giredhi NAT kuita pamasevha emidziyo.
A bit of history
Musoro weIPv4 kero nzvimbo kuneta haisisiri itsva. Pane imwe nguva, mazita ekumirira akaonekwa muRIPE, ipapo kuchinjana kwakabuda paitengeswa mabhuroki emakero uye zvibvumirano zvakapedzwa kuti zvibhadharwe. Zvishoma nezvishoma, vafambisi venhare vakatanga kupa masevhisi ekuwana Internet vachishandisa kero uye kududzira chiteshi. Vamwe havana kukwanisa kuwana kero yakakwana kuti vabudise "chena" kero kune mumwe nemumwe anyoresa, nepo vamwe vakatanga kuchengetedza mari nekuramba kutenga kero pamusika wechipiri. Vagadziri vemidziyo yetiweki vakatsigira iyi pfungwa, nekuti basa iri rinowanzoda mamwe mamodule ekuwedzera kana marezinesi. Semuenzaniso, muJuniper mutsara weMX routers (kunze kweiyo yazvino MX104 uye MX204), unogona kuita NAPT pane yakaparadzana MS-MIC sevhisi kadhi, Cisco ASR1k inoda rezinesi reCGN, Cisco ASR9k inoda yakaparadzana A9K-ISM-100 module. uye rezinesi reA9K-CGN -LIC kwaari. Kazhinji, mafaro anodhura mari yakawanda.
IPTables
Basa rekuita NAT haridi zviwanikwa zvemakomputa; inogona kugadziriswa neyakajairwa-chinangwa processors, iyo yakaiswa, semuenzaniso, mune chero imba router. Pachiyero chemufambisi wenhare, dambudziko iri rinogona kugadziriswa uchishandisa commodity maseva anomhanya FreeBSD (ipfw/pf) kana GNU/Linux (iptables). Isu hatisi kuzofunga FreeBSD, nekuti... Ndakamira kushandisa iyi OS nguva refu yapfuura, saka isu tinonamatira kuGNU/Linux.
Kugonesa kushandura kero hakuna kunetsa. Kutanga iwe unofanirwa kunyoresa mutemo mune iptables mune nat tafura:
iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -j SNAT --to <pool_start_addr>-<pool_end_addr> --persistent
Iyo inoshanda sisitimu inotakura iyo nf_contrack module, iyo inotarisisa zvese zvinoshanda zvinongedzo uye kuita shanduko dzinodiwa. Kune akati wandei ma subtleties pano. Chekutanga, sezvo tiri kutaura nezveNAT pachiyero chefoni opareta, zvinodikanwa kugadzirisa nguva, nekuti neiyo default kukosha saizi yetafura yeshanduro inokura kusvika kune njodzi. Pazasi pane muenzaniso wezvirongwa zvandaishandisa pamaseva angu:
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 8192 65535
net.netfilter.nf_conntrack_generic_timeout = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 45
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 60
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15
net.netfilter.nf_conntrack_checksum=0
Uye chechipiri, sezvo saizi yekusarudzika yetafura yekushandura haina kugadzirwa kuti ishande pasi pemamiriro emufambisi wenhare, inoda kuwedzerwa:
net.netfilter.nf_conntrack_max = 3145728
Izvo zvinodiwawo kuwedzera huwandu hwemabhaketi etafura yehashi inochengeta nhepfenyuro dzese (iyi sarudzo mune nf_contrack module):
options nf_conntrack hashsize=1572864
Mushure meizvi manipulations akareruka, dhizaini inoshanda zvakakwana inowanikwa iyo inogona kushandura nhamba huru yevatengi kero mudziva rekunze. Zvisinei, kuita kwechisarudzo ichi kunosiya zvakawanda zvingadiwa. Mukuedza kwangu kwekutanga kushandisa GNU/Linux yeNAT (circa 2013), ndakakwanisa kuwana kuita kwakatenderedza 7Gbit/s pa 0.8Mpps per server (Xeon E5-1650v2). Kubva panguva iyoyo, akawanda akasiyana optimizations akaitwa muGNU/Linux kernel network stack, kuita kwesevha imwe chete pahardware imwe chete kwakawedzera kusvika panosvika 18-19 Gbit/s pa1.8-1.9 Mpps (aya ndiwo aive akanyanya kukosha) , asi kudiwa kwehuwandu hwemotokari, yakagadziriswa ne server imwe yakakura zvikuru. Nekuda kweizvozvo, zvirongwa zvakagadziridzwa kuenzanisa mutoro pamaseva akasiyana, asi zvese izvi zvakawedzera kuoma kwekugadzirisa, kuchengetedza nekuchengetedza hutano hwemasevhisi akapihwa.
NFTtables
Mazuva ano, fashoni yemafashoni mune software "mabhegi ekuchinja" ndiko kushandiswa kweDPDK neXDP. Zvinyorwa zvakawanda zvakanyorwa pamusoro penyaya iyi, hurukuro dzakawanda dzakasiyana dzakaitwa, uye zvigadzirwa zvekutengesa zviri kuonekwa (somuenzaniso, SKAT kubva kuVasExperts). Asi nekupihwa mashoma ekugadzirisa zviwanikwa zvevafambisi venhare, zvinonetsa kugadzira chero "chigadzirwa" chinoenderana neaya masisitimu iwe pachako. Zvichanyanya kuoma kushandisa mhinduro yakadaro mune ramangwana; kunyanya, maturusi ekuongorora anozofanirwa kugadzirwa. Semuenzaniso, tcpdump yakajairika ine DPDK haishande saizvozvo, uye haizo "ona" mapaketi akadzoserwa kumawaya achishandisa XDP. Pakati pekutaura kwese nezve matekinoroji matsva ekuburitsa kutakura kwepaketi kune mushandisi-nzvimbo, ivo havana kucherechedzwa. ΠΈ Pablo Neira Ayuso, iptables muchengeti, nezve kuvandudzwa kwekuyerera kwekuyerera mu nftables. Ngatitarisei zvakanyanya kune iyi michina.
Pfungwa huru ndeyokuti kana router yakapfuura mapaketi kubva muchikamu chimwe kumativi ose ekuyerera (TCP chikamu chakapinda mu ESTABLISHED state), saka hapana chikonzero chekupfuura mapaketi anotevera emusangano uyu kuburikidza nemitemo yose ye firewall, nokuti. ese aya macheki acharamba achipera nepaketi ichiendeswa mberi kune nzira. Uye isu hatidi chaizvo kusarudza nzira - isu tinotoziva kune iyo interface uye kune mugadziri watinoda kutumira mapaketi mukati mechikamu chino. Chinosara ndechekuchengeta ruzivo urwu uye kurishandisa kunzira panguva yekutanga yekugadziriswa kwepaketi. Paunenge uchiita NAT, zvinodikanwa kuchengetedza ruzivo nezve shanduko mumakero uye zviteshi zvakashandurwa nenf_contrack module. Hongu, hongu, munyaya iyi mapurisa akasiyana-siyana uye mamwe mashoko uye mitemo yenhamba mu iptables inomira kushanda, asi mukati mehutano hwebasa reimwe rakasiyana rakamira NAT kana, somuenzaniso, muganhu, izvi hazvina kukosha, nokuti mabasa anogoverwa pamidziyo yese.
Kugadziriswa
Kuti tishandise basa iri tinoda:
- Shandisa kernel itsva. Pasinei nokuti kushanda kwacho kwakaonekwa mu kernel 4.16, kwenguva yakareba "yakasviba" uye yaigara ichikonzera kernel kutya. Zvese zvakadzikamiswa muna Zvita 2019, pakaburitswa LTS kernels 4.19.90 uye 5.4.5.
- Nyorazve iptables mitemo mune nftables fomati uchishandisa yazvino vhezheni yenftables. Inoshanda chaizvo mushanduro 0.9.0
Kana zvinhu zvose zviri musimboti zvakajeka nepfungwa yekutanga, chinhu chikuru hachisi chekukanganwa kuisa iyo module mukugadzirisa panguva yegungano (CONFIG_NFT_FLOW_OFFLOAD = m), ipapo yechipiri poindi inoda tsananguro. nftables mitemo inotsanangurwa zvakasiyana zvachose pane iptables. inoburitsa dzinenge dzese mapoinzi, kune zvakare akakosha mitemo kubva iptables kusvika nftables. Naizvozvo, ini ndinongopa muenzaniso wekumisikidza NAT uye kuyerera offload. Ngano diki semuenzaniso: , - Aya ndiwo maratidziro etiweki ayo traffic inopfuura; muchokwadi panogona kunge paine anopfuura maviri acho. , - kero yekutanga neyokugumira yehuwandu hwe "white" kero.
NAT kumisikidzwa iri nyore kwazvo:
#! /usr/sbin/nft -f
table nat {
chain postrouting {
type nat hook postrouting priority 100;
oif <o_if> snat to <pool_addr_start>-<pool_addr_end> persistent
}
}
Nekuyerera kuburitsa kuri kunetsa zvishoma, asi zvinonzwisisika:
#! /usr/sbin/nft -f
table inet filter {
flowtable fastnat {
hook ingress priority 0
devices = { <i_if>, <o_if> }
}
chain forward {
type filter hook forward priority 0; policy accept;
ip protocol { tcp , udp } flow offload @fastnat;
}
}
Izvo, chaizvoizvo, ndiyo yose setup. Iye zvino ese TCP / UDP traffic ichawira mufastnat tafura uye inogadziriswa nekukurumidza.
Mhinduro
Kuti zvijekese kuti "zvakanyanya kukurumidza" sei izvi, ini ndichabatanidza skrini yemutoro pamaseva maviri chaiwo, ine hardware yakafanana (Xeon E5-1650v2), yakagadziridzwa zvakafanana, uchishandisa iyo yakafanana Linux kernel, asi ichiita NAT mumaiptables. (NAT4) uye mune nftables (NAT5).
Iko hakuna girafu yemapakiti pasekondi imwe chete muscreenshot, asi mune inoremerwa nhoroondo yemaseva aya avhareji saizi yepakiti inotenderedza 800 bytes, saka kukosha kwacho kunosvika ku1.5Mpps. Sezvauri kuona, sevha ine nftables ine yakakura performance reserve. Parizvino, sevha iyi inoshanda kusvika ku30Gbit/s pa3Mpps uye iri pachena inokwanisa kusangana nekumisikidzwa kwenetiweki ye40Gbps, uku uine zviwanikwa zveCPU zvemahara.
Ndinovimba chinyorwa ichi chichabatsira kune mainjiniya etiweki kuyedza kuvandudza mashandiro emaseva avo.
Source: www.habr.com