Ha liaterese tsa IPv4 li ntse li fokotseha, basebelisi ba bangata ba mehala ba tobane le tlhoko ea ho fa bareki ba bona phihlello ea marang-rang ba sebelisa phetolelo ea aterese. Sehloohong sena ke tla u joetsa hore na u ka fumana ts'ebetso ea Carrier Grade NAT joang ho li-server tsa thepa.
Pale ea histori
Sehlooho sa ho felloa ke matla ha sebaka sa aterese ea IPv4 ha e sa le ncha. Ka nako e 'ngoe, manane a ho leta a ile a hlaha ho RIPE, joale lipuisano li ile tsa hlaha moo li-block tsa liaterese li neng li rekisoa 'me ho ile ha phethoa litumellano tsa ho li hira. Butle-butle, basebetsi ba mehala ba ile ba qala ho fana ka litšebeletso tsa ho kena Inthaneteng ba sebelisa aterese le phetolelo ea boema-kepe. Ba bang ha baa ka ba khona ho fumana liaterese tse lekaneng ho fana ka aterese e "tšoeu" ho motho e mong le e mong ea ngolisitseng, ha ba bang ba qala ho boloka chelete ka ho hana ho reka liaterese 'marakeng oa bobeli. Baetsi ba lisebelisoa tsa marang-rang ba tšehetsa khopolo ena, hobane ts'ebetso ena hangata e hloka li-module kapa lilaesense tse eketsehileng. Ka mohlala, moleng oa Juniper oa li-router tsa MX (ntle le MX104 le MX204 ea morao-rao), o ka etsa NAPT ka karete ea tšebeletso ea MS-MIC e arohaneng, Cisco ASR1k e hloka laesense ea CGN, Cisco ASR9k e hloka mojule o arohaneng oa A9K-ISM-100. le lengolo la A9K-CGN -LIC ho eena. Ka kakaretso, monate o bitsa chelete e ngata.
IPTables
Mosebetsi oa ho etsa NAT ha o hloke lisebelisoa tse khethehileng tsa komporo; e ka rarolloa ke li-processor tsa sepheo se akaretsang, tse kentsoeng, mohlala, ho router efe kapa efe ea lapeng. Sekala sa opareitara ea mehala, bothata bona bo ka rarolloa ho sebelisoa li-server tsa thepa tse tsamaisang FreeBSD (ipfw/pf) kapa GNU/Linux (iptables). Re ke ke ra nahana ka FreeBSD, hobane ... Ke emisitse ho sebelisa OS ena khale haholo, kahoo re tla khomarela GNU/Linux.
Ho lumella phetolelo ea aterese ha ho thata ho hang. Pele o hloka ho ngolisa molao ho iptables tafoleng ea nat:
iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -j SNAT --to <pool_start_addr>-<pool_end_addr> --persistent
Sistimi ea ts'ebetso e tla kenya module ea nf_contrack, e tla hlokomela likhokahano tsohle tse sebetsang le ho etsa liphetoho tse hlokahalang. Ho na le tse 'maloa subtleties mona. Taba ea pele, kaha re bua ka NAT ka sekhahla sa opareitara ea mehala, hoa hlokahala ho lokisa linako, hobane ka boleng bo sa feleng boholo ba tafole ea phetolelo bo tla hola kapele ho ba boleng ba koluoa. Ka tlase ke mohlala oa litlhophiso tseo ke li sebelisitseng ho li-server tsa ka:
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 8192 65535
net.netfilter.nf_conntrack_generic_timeout = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 45
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 60
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15
net.netfilter.nf_conntrack_checksum=0
Taba ea bobeli, kaha boholo bo sa fetoheng ba tafole ea phetolelo ha bo etselitsoe ho sebetsa tlasa maemo a motho ea sebetsang ka mehala, e hloka ho eketsoa:
net.netfilter.nf_conntrack_max = 3145728
Ho boetse hoa hlokahala ho eketsa palo ea libakete bakeng sa tafole ea hash e bolokang liphatlalatso tsohle (ena ke khetho ho mojule oa nf_contrack):
options nf_conntrack hashsize=1572864
Ka mor'a mekhoa ena e bonolo, moralo o sebetsang ka ho feletseng o fumanoa o ka fetolelang palo e kholo ea liaterese tsa bareki ka letamo la tse ka ntle. Leha ho le joalo, ts'ebetso ea tharollo ena e siea ho hongata ho lakatsehang. Litekong tsa ka tsa pele tsa ho sebelisa GNU/Linux bakeng sa NAT (hoo e ka bang 2013), ke khonne ho fumana ts'ebetso ea 7Gbit / s ho 0.8Mpps ka seva (Xeon E5-1650v2). Ho tloha ka nako eo, ho entsoe lintlafatso tse ngata tse fapaneng ho GNU/Linux kernel network stack, ts'ebetso ea seva e le 'ngoe ho hardware e tšoanang e eketsehile hoo e ka bang 18-19 Gbit / s ho 1.8-1.9 Mpps (tsena e ne e le litekanyetso tse phahameng) , empa tlhoko ea bophahamo ba sephethephethe, e sebetsitsoeng ke seva se le seng e ile ea eketseha ka potlako haholo. Ka lebaka leo, merero e ile ea etsoa ho leka-lekanya mojaro ho li-server tse fapaneng, empa sena sohle se ile sa eketsa ho rarahana ha ho theha, ho boloka le ho boloka boleng ba litšebeletso tse fanoeng.
Lipampiri tsa NFT
Matsatsing ana, mokhoa o fesheneng oa software "shifting bags" ke ts'ebeliso ea DPDK le XDP. Lingoliloeng tse ngata li ngotsoe sehloohong sena, lipuo tse ngata tse fapaneng li entsoe, 'me lihlahisoa tsa khoebo li hlaha (mohlala, SKAT ho tloha VasExperts). Empa ha ho nahanoa ka lisebelisoa tse fokolang tsa mananeo a basebelisi ba mehala, ho thata ho theha "sehlahisoa" sefe kapa sefe se ipapisitseng le meralo ena u le mong. Ho tla ba thata le ho feta ho sebelisa tharollo e joalo nakong e tlang; haholoholo, lisebelisoa tsa tlhahlobo li tla tlameha ho ntlafatsoa. Ka mohlala, tcpdump e tloaelehileng e nang le DPDK e ke ke ea sebetsa joalo feela, 'me e ke ke ea "bona" lipakete tse khutliselitsoeng lithapong tse sebelisang XDP. Har'a lipuo tsohle tse mabapi le mahlale a macha a ho fetisa lipakete sebakeng sa basebelisi, ha lia ka tsa hlokomeloa. и Pablo Neira Ayuso, mohlokomeli oa iptables, mabapi le nts'etsopele ea phallo ea phallo ho li-nftables. A re ke re shebisiseng mochine ona.
Mohopolo o ka sehloohong ke hore haeba router e fetisa lipakete ho tloha sebokeng se le seng ka mahlakoreng ka bobeli a phallo (seboka sa TCP se kene sebakeng se HLOKOMENG), joale ha ho hlokahale ho fetisa lipakete tse latelang tsa lenaneo lena ka melao eohle ea firewall, hobane licheke tsena kaofela li ntse li tla fela ka pakete e fetisetsoang ho ea pele. Ebile ha ho hlokahale hore re khethe tsela - re se re ntse re tseba hore na re hloka ho romella lipakete ho mang le hore na re hloka ho romella lipakete ho mang nakong ea thuto ena. Ho setseng ke ho boloka tlhahisoleseling ena le ho e sebelisa bakeng sa ho tsamaisa lipakete esale pele. Ha o etsa NAT, hoa hlokahala ho boloka tlhahisoleseling mabapi le liphetoho tsa liaterese le likoung tse fetoletsoeng ke nf_contrack module. E, ha e le hantle, tabeng ena mapolesa a fapa-fapaneng le tlhahisoleseding e meng le melao ea lipalo-palo ho iptables khaotsa ho sebetsa, empa ka har'a moralo oa mosebetsi oa ho ema NAT e arohaneng kapa, ka mohlala, moeli, sena ha se bohlokoa hakaalo, hobane litšebeletso li ajoa ho pholletsa le lisebelisoa.
Moralo
Ho sebelisa sesebelisoa sena re hloka:
- Sebelisa kernel e ncha. Ho sa tsotellehe taba ea hore ts'ebetso ka boeona e hlahile ho kernel 4.16, ka nako e telele e ne e le "e tala" 'me e atisa ho baka tšabo ea kernel. Ntho e ngoe le e ngoe e ile ea tsitsa ho pota December 2019, ha LTS kernels 4.19.90 le 5.4.5 li lokolloa.
- Ngola melao ea iptables ka mokhoa oa nftables u sebelisa mofuta oa morao-rao oa li-nftables. E sebetsa hantle ka mofuta oa 0.9.0
Haeba ntho e 'ngoe le e' ngoe ka molao-motheo e hlakile ka ntlha ea pele, ntho e ka sehloohong ke ho se lebale ho kenyelletsa module ho tlhophiso nakong ea kopano (CONFIG_NFT_FLOW_OFFLOAD = m), joale ntlha ea bobeli e hloka tlhaloso. melao ea nftables e hlalosoa ka tsela e fapaneng ka ho feletseng ho feta ka iptables. e senola hoo e batlang e le lintlha tsohle, ho boetse ho na le tse khethehileng melao ho tloha ho iptables ho ea ho nftables. Ka hona, ke tla fana ka mohlala feela oa ho theha NAT le phallo ea phallo. Ka mohlala, pale e nyane: , - ana ke likhokahano tsa marang-rang tseo sephethephethe se fetang ho tsona; ha e le hantle ho ka ba le tse fetang tse peli tsa tsona. , — aterese ea ho qala le ea ho qetela ea lethathamo la liaterese tse “tšoeu”.
Tlhophiso ea NAT e bonolo haholo:
#! /usr/sbin/nft -f
table nat {
chain postrouting {
type nat hook postrouting priority 100;
oif <o_if> snat to <pool_addr_start>-<pool_addr_end> persistent
}
}
Ka phallo ea phallo e rarahane haholoanyane, empa ea utloahala:
#! /usr/sbin/nft -f
table inet filter {
flowtable fastnat {
hook ingress priority 0
devices = { <i_if>, <o_if> }
}
chain forward {
type filter hook forward priority 0; policy accept;
ip protocol { tcp , udp } flow offload @fastnat;
}
}
Eo, ha e le hantle, ke tlhophiso eohle. Hona joale sephethephethe sohle sa TCP / UDP se tla oela tafoleng ea fastnat 'me se sebetsoe ka potlako haholo.
Liphetho
Ho hlakisa hore na sena ke "ka potlako hakae", ke tla hokela skrini sa mojaro ho li-server tse peli tsa 'nete, tse nang le thepa e tšoanang (Xeon E5-1650v2), e hlophisitsoeng ka mokhoa o ts'oanang, e sebelisa Linux kernel e tšoanang, empa e etsa NAT ka li-iptables. (NAT4) le ho li-nftables (NAT5).
Ha ho na graph ea lipakete ka motsotsoana skrineng, empa profinseng ea mojaro oa li-server tsena boholo ba pakete bo ka ba li-byte tse 800, ka hona, boleng bo fihla ho 1.5Mpps. Joalokaha u ka bona, seva e nang le nftables e na le sebaka se seholo sa ts'ebetso. Hajoale, seva sena se sebetsa ho fihla ho 30Gbit / s ho 3Mpps mme ka ho hlaka se khona ho kopana le moeli oa marang-rang oa 40Gbps, ha se ntse se e-na le lisebelisoa tsa mahala tsa CPU.
Ke tšepa hore boitsebiso bona bo tla ba molemo ho baenjiniere ba marang-rang ba lekang ho ntlafatsa tshebetso ea li-server tsa bona.
Source: www.habr.com