Marka ciwaannada IPV4 ay noqdaan kuwo gabaabsi ah, hawl-wadeenno badan oo isgaarsiineed ayaa wajahaya baahida loo qabo in macaamiishooda ay helaan shabakad iyagoo isticmaalaya tarjumaada ciwaanka. Maqaalkan waxaan ku sheegi doonaa sida aad u heli karto waxqabadka Carrier Grade NAT ee adeegayaasha badeecadaha.
Tiro yar oo taariikh ah
Mawduuca ciwaanka IPv4 ee daalka meel bannaan ma aha hadda cusub. Mararka qaar, liisaska sugitaanka ayaa ka soo muuqday RIPE, ka dibna waxaa soo baxay wax-isweydaarsiyo lagu kala iibsanayo baloogyada cinwaannada oo la soo gabagabeeyay heshiisyo lagu kireynayo. Si tartiib tartiib ah, hawl-wadeennada isgaarsiintu waxay bilaabeen inay bixiyaan adeegyada internetka iyagoo isticmaalaya ciwaanka iyo tarjumaada dekedda. Qaar ka mid ah ma aysan suurtagelin inay helaan cinwaano ku filan si ay u soo saaraan ciwaan "cad" mid kasta oo macaamiisha ah, halka qaar kalena ay bilaabeen inay lacag kaydsadaan iyagoo diiday inay iibsadaan cinwaannada suuqa sare. Soo-saareyaasha qalabka shabakada ayaa taageeray fikradan, sababtoo ah shaqadani waxay inta badan u baahan tahay qaybo dheeraad ah oo dheeraad ah ama shatiyo. Tusaale ahaan, khadka Juniper ee MX router (marka laga reebo MX104 iyo MX204 ee ugu dambeeyay), waxaad NAPT ku sameyn kartaa kaarka adeegga MS-MIC ee goonida ah, Cisco ASR1k wuxuu u baahan yahay shatiga CGN, Cisco ASR9k wuxuu u baahan yahay module A9K-ISM-100 gaar ah. iyo shatiga A9K-CGN -LIC isaga. Guud ahaan, raaxada waxay ku kacdaa lacag badan.
IPTables
Hawsha fulinta NAT uma baahna agab xisaabeed gaar ah; waxaa lagu xallin karaa soo-saareyaal ujeedo guud ah, kuwaas oo lagu rakibay, tusaale ahaan, router kasta oo guriga ah. Marka la eego miisaanka hawl wadeenka isgaadhsiinta, dhibaatadan waxa lagu xalin karaa iyada oo la isticmaalayo adeegayaasha badeecadaha ee ku shaqeeya FreeBSD (ipfw/pf) ama GNU/Linux (iptables). Ma tixgelin doono FreeBSD, sababtoo ah ... Waxaan joojiyay isticmaalka OS-kan wakhti dheer ka hor, marka waxaan ku dhegganaan doonaa GNU/Linux.
Awood siinta tarjumaada ciwaanka gabi ahaanba ma aha mid adag. Marka hore waxaad u baahan tahay inaad iska diiwaan geliso qaanuunka iptables ee miiska nat:
iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -j SNAT --to <pool_start_addr>-<pool_end_addr> --persistent
Nidaamka hawlgalka ayaa ku shubi doona moduleka nf_conntrack, kaas oo la socon doona dhammaan xidhiidhada firfircoon oo fulin doona beddelka lagama maarmaanka ah. Waxaa jira dhowr waxyaalood oo qarsoon halkan. Marka hore, maadaama aan ka hadleyno NAT oo ku saabsan miisaanka hawlwadeenka isgaarsiinta, waa lagama maarmaan in la hagaajiyo waqtiyada, sababtoo ah qiimaha caadiga ah ee cabbirka miiska turjumaadda ayaa si dhakhso ah u kori doona qiyamka musiibada. Hoos waxaa ku yaal tusaale goobaha aan ku isticmaalay server-kayga:
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 8192 65535
net.netfilter.nf_conntrack_generic_timeout = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 45
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 60
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15
net.netfilter.nf_conntrack_checksum=0
Marka labaad, maadaama cabbirka caadiga ah ee miiska tarjumaadda aan loogu talagelin inuu ku shaqeeyo shuruudaha hawlwadeenka isgaadhsiinta, waxay u baahan tahay in la kordhiyo:
net.netfilter.nf_conntrack_max = 3145728
Waxa kale oo lagama maarmaan ah in la kordhiyo tirada baaldiyada miiska xashiishka ee lagu kaydinayo dhammaan baahinta (tani waa ikhtiyaarka nf_conntrack module):
options nf_conntrack hashsize=1572864
Ka dib khalkhalgelintan fudud, naqshad dhammaystiran oo shaqaynaysa ayaa la helay oo u tarjumi karta tiro badan oo cinwaano macmiil ah barkad kuwa dibadda ah. Si kastaba ha noqotee, waxqabadka xalkani wuxuu ka tagayaa wax badan oo la rabo. Isku daygii ugu horreeyay ee aan ku isticmaalay GNU/Linux ee NAT (qiyaastii 2013), waxaan awooday inaan helo waxqabadka agagaarka 7Gbit/s ee 0.8Mpps server kasta (Xeon E5-1650v2). Ilaa wakhtigaas, wanaajin badan oo kala duwan ayaa lagu sameeyay isku xidhka shabakada GNU/Linux kernel, waxqabadka hal server ee isla qalabku wuxuu kordhay ku dhawaad ββ18-19 Gbit/s 1.8-1.9 Mpps (kuwaani waxay ahaayeen qiimaha ugu badan) , laakiin baahida loo qabo mugga taraafigga, ee uu farsameeyo hal server ayaa si degdeg ah u kordhay. Natiijo ahaan, qorshayaal ayaa la sameeyay si loogu dheellitiro culeyska server-yada kala duwan, laakiin waxaas oo dhan waxay kordhiyeen kakanaanta dejinta, ilaalinta iyo ilaalinta tayada adeegyada la bixiyo.
GABOOYIN
Maalmahan, isbeddelka moodada ee software "bacaha beddelka" waa isticmaalka DPDK iyo XDP. Maqaalo badan ayaa laga qoray mawduucan, khudbado badan oo kala duwan ayaa la sameeyay, iyo alaabooyin ganacsi ayaa soo muuqday (tusaale, SKAT oo ka socota VasExperts). Laakin marka la eego ilaha barnaamijka ee xadidan ee hawl wadeenada isgaadhsiinta, waa dhibaato aad u wayn in la abuuro wax "alaabta" ah oo ku salaysan qaab-dhismeedyadan keligaa. Aad bay u adkaan doontaa in lagu shaqeeyo xalkan mustaqbalka, gaar ahaan, qalabka lagu ogaanayo waa in la sameeyo. Tusaale ahaan, tcpdump caadiga ah ee DPDK uma shaqayn doono sidaas oo kale, mana "arki doono" baakadaha dib loogu soo celiyay fiilooyinka iyadoo la isticmaalayo XDP. Iyada oo ay ku jiraan dhammaan hadalka ku saabsan tignoolajiyada cusub ee soo saarista xirmada u gudbinta goobta isticmaalaha, lama ogaan ΠΈ Pablo Neira Ayuso, ilaaliye iptables, oo ku saabsan horumarinta qulqulka qulqulka ee nftables. Aynu si qoto dheer u eegno habkan.
Fikradda ugu weyn ayaa ah in haddii router uu ka soo gudbay baakidh ka mid ah hal fadhi labada jiho ee socodka (Kalfadhiga TCP wuxuu galay gobolka la aasaasay), markaa ma jirto baahi loo qabo in la gudbiyo xirmooyinka xiga ee casharkan iyada oo loo marayo dhammaan xeerarka dabka, sababtoo ah Dhammaan jeegaggu wali way dhammaan doonaan iyadoo baakadda lagu sii wareejinayo marinka. Dhab ahaantiina uma baahnin inaan doorano waddo - waxaan horeyba u ognahay interface-ka iyo martigeliyaha aan u baahanahay inaan u dirno xirmooyinka fadhigan dhexdiisa. Waxa kaliya ee hadhay waa in la kaydiyo macluumaadkan oo loo isticmaalo hab-socodka marxaladda hore ee habaynta baakadaha. Markaad samaynayso NAT, waxaa lagama maarmaan ah in lagu kaydiyo macluumaadka ku saabsan isbeddelada ciwaannada iyo dekedaha ee uu turjumay module nf_conntrack. Haa, dabcan, kiiskan booliiska kala duwan iyo macluumaadka kale iyo xeerarka tirakoobka ee iptables joojiso shaqada, laakiin gudaha qaabka hawsha NAT taagan gaar ah ama, tusaale ahaan, xadka, tani ma aha sidaas muhiim ah, sababtoo ah adeegyada waxaa loo qaybiyaa qalabka.
Qaabeynta
Si aan u isticmaalno shaqadan waxaan u baahanahay:
- Isticmaal kernel cusub. In kasta oo xaqiiqda ah in shaqeynta lafteeda ay ka soo muuqatay kernel 4.16, muddo dheer waxay ahayd mid aad "ceeriin" oo si joogto ah u keentay argagax kernel. Wax walba waxa ay xasiliyeen ilaa Disembar 2019, markii LTS kernels 4.19.90 iyo 5.4.5 la sii daayay.
- Dib ugu qor xeerarka iptables qaab nftables adiga oo isticmaalaya nooca ugu dambeeyay ee nftables. Si sax ah ayuu ugu shaqeeyaa nooca 0.9.0
Haddii wax kasta oo mabda'a ah ay ku caddahay qodobka koowaad, waxa ugu muhiimsan waa in aan la iloobin in lagu daro moduleka qaabeynta inta lagu jiro kulanka (CONFIG_NFT_FLOW_OFFLOAD = m), markaa qodobka labaad wuxuu u baahan yahay sharaxaad. Xeerarka nftables ayaa si buuxda loogu sifeeyay si ka duwan kan iptables. muujinaya ku dhawaad ββdhammaan dhibcood, waxaa sidoo kale jira gaar ah Xeerarka laga bilaabo iptables ilaa nftables. Sidaa darteed, waxaan kaliya ku siin doonaa tusaale ah dejinta NAT iyo socodka offload. Halyey yar tusaale ahaan: , - kuwani waa shabakadaha isku xidhka ee ay gaadiidku maraan, run ahaantii waxa jiri kara wax ka badan laba ka mid ah. , - ciwaanka bilawga iyo dhamaadka ee kala duwan ee ciwaanada "cad".
Qaabeynta NAT waa mid aad u fudud:
#! /usr/sbin/nft -f
table nat {
chain postrouting {
type nat hook postrouting priority 100;
oif <o_if> snat to <pool_addr_start>-<pool_addr_end> persistent
}
}
Marka la soo dajiyo qulqulka qulqulka, way ka sii dhib badan tahay, laakiin aad loo fahmi karo:
#! /usr/sbin/nft -f
table inet filter {
flowtable fastnat {
hook ingress priority 0
devices = { <i_if>, <o_if> }
}
chain forward {
type filter hook forward priority 0; policy accept;
ip protocol { tcp , udp } flow offload @fastnat;
}
}
Taasi, dhab ahaantii, waa habaynta oo dhan. Hadda dhammaan taraafikada TCP/UDP waxay ku dhici doonaan miiska fastnat oo si degdeg ah ayaa looga baaraandegi doonaa.
Π Π΅Π·ΡΠ»ΡΡΠ°ΡΡ
Si aan u caddeeyo sida ay tani u "dhaqsaha badan tahay", waxaan ku soo lifaaqi doonaa shaashadda culeyska laba server oo dhab ah, oo wata qalab isku mid ah (Xeon E5-1650v2), si isku mid ah loo habeeyey, iyadoo la adeegsanayo isla Linux kernel, laakiin ku shaqeynaya NAT ee iptables (NAT4) iyo nftables (NAT5).
Ma jiro garaaf xirmo ilbiriqsi kasta oo shaashadda ah, laakiin muuqaalka culeyska ee adeegayaashan celceliska cabbirka baakidhku waa ku dhawaad ββββ800 bytes, markaa qiimayaashu waxay gaadhaan ilaa 1.5Mpps. Sida aad arki karto, server-ka leh nftables wuxuu leeyahay kayd waxqabad oo weyn. Waqtigan xaadirka ah, server-kan wuxuu ku shaqeeyaa ilaa 30Gbit/s 3Mpps wuxuuna si cad u awoodayaa inuu daboolo xaddidaadda shabakadda jireed ee 40Gbps, isagoo haysta agab CPU oo bilaash ah.
Waxaan rajeynayaa in qalabkani uu faa'iido u yeelan doono injineerada shabakada isku dayaya inay hagaajiyaan waxqabadka server-kooda.
Source: www.habr.com