Sezvo IPv4 kero dziri kupera, vazhinji vanoita zvenharembozha vakatarisana nekudiwa kwekupa vatengi vavo mukana wetiweki vachishandisa kero kududzira. Muchikamu chino ini ndichakuudza kuti iwe unogona sei kuwana Carrier Giredhi NAT kuita pamasevha emidziyo.
A bit of history
Musoro weIPv4 kero nzvimbo kuneta haisisiri itsva. Pane imwe nguva, mazita ekumirira akaonekwa muRIPE, ipapo kuchinjana kwakabuda paitengeswa mabhuroki emakero uye zvibvumirano zvakapedzwa kuti zvibhadharwe. Zvishoma nezvishoma, vafambisi venhare vakatanga kupa masevhisi ekuwana Internet vachishandisa kero uye kududzira chiteshi. Vamwe havana kukwanisa kuwana kero yakakwana kuti vabudise "chena" kero kune mumwe nemumwe anyoresa, nepo vamwe vakatanga kuchengetedza mari nekuramba kutenga kero pamusika wechipiri. Vagadziri vemidziyo yetiweki vakatsigira iyi pfungwa, nekuti basa iri rinowanzoda mamwe mamodule ekuwedzera kana marezinesi. Semuenzaniso, muJuniper mutsara weMX routers (kunze kweiyo yazvino MX104 uye MX204), unogona kuita NAPT pane yakaparadzana MS-MIC sevhisi kadhi, Cisco ASR1k inoda rezinesi reCGN, Cisco ASR9k inoda yakaparadzana A9K-ISM-100 module. uye rezinesi reA9K-CGN -LIC kwaari. Kazhinji, mafaro anodhura mari yakawanda.
IPTables
Kuitwa kweNAT hakudi zviwanikwa zvemakombiyuta zvehunyanzvi; kunogona kuitwa nema processors anoshandiswa nevanhu vakawanda, akadai seaya anowanikwa mune chero router yepamba. Pachikero chevashandi vefoni, basa iri rinogona kuitwa uchishandisa maseva emidziyo anoshandisa FreeBSD (ipfw/pf) kana GNU/Linux (iptables). Hatizotarisi FreeBSD, sezvo ndakarega kushandisa OS iyoyo kare kare, saka ngatirambei tichishandisa GNU/Linux.
Kugonesa kushandura kero hakuna kunetsa. Kutanga iwe unofanirwa kunyoresa mutemo mune iptables mune nat tafura:
iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -j SNAT --to <pool_start_addr>-<pool_end_addr> --persistent
Iyo inoshanda sisitimu inotakura iyo nf_contrack module, iyo inotarisisa zvese zvinoshanda zvinongedzo uye kuita shanduko dzinodiwa. Kune akati wandei ma subtleties pano. Chekutanga, sezvo tiri kutaura nezveNAT pachiyero chefoni opareta, zvinodikanwa kugadzirisa nguva, nekuti neiyo default kukosha saizi yetafura yeshanduro inokura kusvika kune njodzi. Pazasi pane muenzaniso wezvirongwa zvandaishandisa pamaseva angu:
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 8192 65535
net.netfilter.nf_conntrack_generic_timeout = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 45
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 60
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15
net.netfilter.nf_conntrack_checksum=0
Uye chechipiri, sezvo saizi yekusarudzika yetafura yekushandura haina kugadzirwa kuti ishande pasi pemamiriro emufambisi wenhare, inoda kuwedzerwa:
net.netfilter.nf_conntrack_max = 3145728
Izvo zvinodiwawo kuwedzera huwandu hwemabhaketi etafura yehashi inochengeta nhepfenyuro dzese (iyi sarudzo mune nf_contrack module):
options nf_conntrack hashsize=1572864
Mushure mekugadzirisa zvinhu zviri nyore izvi, dhizaini inoshanda zvizere inowanikwa inogona kuparadzira huwandu hwakawanda hwekero dzevatengi kune boka remakero ekunze. Zvisinei, mashandiro emhinduro iyi haasisina zvakawanda zvinodiwa. Mukuedza kwangu kwekutanga kushandisa GNU/Linux PaNAT (munenge mugore ra2013), ndakakwanisa kuwana mashandiro anosvika 7Gbit/s pa0.8Mpps pane imwe sevha (Xeon E5-1650v2). Kubva ipapo, GNU kernel network stack/Linux Kugadziriswa kwakawanda kwakaitwa, uye mashandiro eseva imwe chete pahardware imwe chete akawedzera kusvika pa18-19 Gbit/s pa1.8-1.9 Mpps (aya ndiwo aive manhamba epamusoro), asi kudiwa kwetraffic inobatwa neseva imwe chete kwakawedzera nekukurumidza. Pakupedzisira, zvirongwa zvekuenzanisa mutoro zvakagadzirwa kune maseva akasiyana, asi zvese izvi zvakawedzera kuoma kwekuseta, kugadzirisa, uye kuchengetedza mhando yemasevhisi anopiwa.
NFTtables
Mazuva ano, fashoni yemafashoni mune software "mabhegi ekuchinja" ndiko kushandiswa kweDPDK neXDP. Zvinyorwa zvakawanda zvakanyorwa pamusoro penyaya iyi, hurukuro dzakawanda dzakasiyana dzakaitwa, uye zvigadzirwa zvekutengesa zviri kuonekwa (somuenzaniso, SKAT kubva kuVasExperts). Asi nekupihwa mashoma ekugadzirisa zviwanikwa zvevafambisi venhare, zvinonetsa kugadzira chero "chigadzirwa" chinoenderana neaya masisitimu iwe pachako. Zvichanyanya kuoma kushandisa mhinduro yakadaro mune ramangwana; kunyanya, maturusi ekuongorora anozofanirwa kugadzirwa. Semuenzaniso, tcpdump yakajairika ine DPDK haishande saizvozvo, uye haizo "ona" mapaketi akadzoserwa kumawaya achishandisa XDP. Pakati pekutaura kwese nezve matekinoroji matsva ekuburitsa kutakura kwepaketi kune mushandisi-nzvimbo, ivo havana kucherechedzwa. Šø Pablo Neira Ayuso, iptables muchengeti, nezve kuvandudzwa kwekuyerera kwekuyerera mu nftables. Ngatitarisei zvakanyanya kune iyi michina.
Pfungwa huru ndeyokuti kana router yakapfuura mapaketi kubva muchikamu chimwe kumativi ose ekuyerera (TCP chikamu chakapinda mu ESTABLISHED state), saka hapana chikonzero chekupfuura mapaketi anotevera emusangano uyu kuburikidza nemitemo yose ye firewall, nokuti. ese aya macheki acharamba achipera nepaketi ichiendeswa mberi kune nzira. Uye isu hatidi chaizvo kusarudza nzira - isu tinotoziva kune iyo interface uye kune mugadziri watinoda kutumira mapaketi mukati mechikamu chino. Chinosara ndechekuchengeta ruzivo urwu uye kurishandisa kunzira panguva yekutanga yekugadziriswa kwepaketi. Paunenge uchiita NAT, zvinodikanwa kuchengetedza ruzivo nezve shanduko mumakero uye zviteshi zvakashandurwa nenf_contrack module. Hongu, hongu, munyaya iyi mapurisa akasiyana-siyana uye mamwe mashoko uye mitemo yenhamba mu iptables inomira kushanda, asi mukati mehutano hwebasa reimwe rakasiyana rakamira NAT kana, somuenzaniso, muganhu, izvi hazvina kukosha, nokuti mabasa anogoverwa pamidziyo yese.
Kugadziriswa
Kuti tishandise basa iri tinoda:
- Shandisa kernel itsva. Pasinei nokuti kushanda kwacho kwakaonekwa mu kernel 4.16, kwenguva yakareba "yakasviba" uye yaigara ichikonzera kernel kutya. Zvese zvakadzikamiswa muna Zvita 2019, pakaburitswa LTS kernels 4.19.90 uye 5.4.5.
- Nyorazve iptables mitemo mune nftables fomati uchishandisa yazvino vhezheni yenftables. Inoshanda chaizvo mushanduro 0.9.0
Kana zvinhu zvose zviri musimboti zvakajeka nepfungwa yekutanga, chinhu chikuru hachisi chekukanganwa kuisa iyo module mukugadzirisa panguva yegungano (CONFIG_NFT_FLOW_OFFLOAD = m), ipapo yechipiri poindi inoda tsananguro. nftables mitemo inotsanangurwa zvakasiyana zvachose pane iptables. inoburitsa dzinenge dzese mapoinzi, kune zvakare akakosha mitemo kubva iptables kusvika nftables. Naizvozvo, ini ndinongopa muenzaniso wekumisikidza NAT uye kuyerera offload. Ngano diki semuenzaniso: , - Aya ndiwo maratidziro etiweki ayo traffic inopfuura; muchokwadi panogona kunge paine anopfuura maviri acho. , - kero yekutanga neyokugumira yehuwandu hwe "white" kero.
NAT kumisikidzwa iri nyore kwazvo:
#! /usr/sbin/nft -f
table nat {
chain postrouting {
type nat hook postrouting priority 100;
oif <o_if> snat to <pool_addr_start>-<pool_addr_end> persistent
}
}
Nekuyerera kuburitsa kuri kunetsa zvishoma, asi zvinonzwisisika:
#! /usr/sbin/nft -f
table inet filter {
flowtable fastnat {
hook ingress priority 0
devices = { <i_if>, <o_if> }
}
chain forward {
type filter hook forward priority 0; policy accept;
ip protocol { tcp , udp } flow offload @fastnat;
}
}
Izvo, chaizvoizvo, ndiyo yose setup. Iye zvino ese TCP / UDP traffic ichawira mufastnat tafura uye inogadziriswa nekukurumidza.
Mhinduro
Kuti ndijekese kuti izvi zvinokurumidza sei, ndichabatanidza mufananidzo wemutoro pamaseva maviri chaiwo, ane hardware imwechete (Xeon E5-1650v2), yakagadzirirwa zvakafanana, ichishandisa core imwechete. Linux, asi kuita NAT mu iptables (NAT4) uye mu nftables (NAT5).
Iko hakuna girafu yemapakiti pasekondi imwe chete muscreenshot, asi mune inoremerwa nhoroondo yemaseva aya avhareji saizi yepakiti inotenderedza 800 bytes, saka kukosha kwacho kunosvika ku1.5Mpps. Sezvauri kuona, sevha ine nftables ine yakakura performance reserve. Parizvino, sevha iyi inoshanda kusvika ku30Gbit/s pa3Mpps uye iri pachena inokwanisa kusangana nekumisikidzwa kwenetiweki ye40Gbps, uku uine zviwanikwa zveCPU zvemahara.
Ndinovimba chinyorwa ichi chichabatsira kune mainjiniya etiweki kuyedza kuvandudza mashandiro emaseva avo.
Source: www.habr.com
