Njengoko iidilesi ze-IPv4 ziphelelwa, uninzi lwabasebenzisi bocingo bajongana nesidingo sokubonelela abathengi babo ngofikelelo lwenethiwekhi besebenzisa idilesi yokuguqulela. Kweli nqaku ndiza kukuxelela ukuba ungayifumana njani iCarrier Grade NAT ukusebenza kwiiseva zempahla.
Inxalenye ethile yembali
Umxholo we-IPv4 yokudinwa kwendawo awusemtsha. Ngexesha elithile, uluhlu lokulinda lwavela kwi-RIPE, emva koko kwavela utshintshiselwano apho iibhloko zeedilesi zathengiswa kwaye izivumelwano zagqitywa ukuziqeshisa. Kancinci kancinci, abaqhubi be-telecom baqala ukubonelela ngeenkonzo zokufikelela kwi-Intanethi besebenzisa idilesi kunye nokuguqulelwa kwezibuko. Abanye abazange balawule ukufumana iidilesi ezaneleyo zokukhupha idilesi "emhlophe" kubhalisi ngamnye, ngelixa abanye baqala ukugcina imali ngokungafuni ukuthenga iidilesi kwimarike yesibini. Abavelisi bezixhobo zenethiwekhi baxhasa le ngcamango, kuba oku kusebenza kufuna iimodyuli ezongezelelweyo okanye iilayisensi. Ngokomzekelo, kumgca weJuniper we-MX routers (ngaphandle kwe-MX104 kunye ne-MX204 yakutshanje), unokwenza i-NAPT kwikhadi lenkonzo ye-MS-MIC eyahlukileyo, i-Cisco ASR1k ifuna ilayisenisi ye-CGN, i-Cisco ASR9k ifuna imodyuli eyahlukileyo ye-A9K-ISM-100. kunye nelayisensi ye-A9K-CGN -LIC kuye. Ngokubanzi, ukuzonwabisa kubiza imali eninzi.
IPTables
Umsebenzi wokwenza i-NAT awufuni izixhobo ezikhethekileyo zekhompyuter, unokusombululwa ngabaqhubekekisi benjongo ngokubanzi, ezifakwe, umzekelo, kuyo nayiphi na i-router yasekhaya. Kwisikali somqhubi we-telecom, le ngxaki ingasonjululwa kusetyenziswa iiseva zempahla ezisebenzisa iFreeBSD (ipfw/pf) okanye iGNU/Linux (iptables). Asiyi kujonga iFreeBSD, kuba... Ndiyekile ukusebenzisa le OS kwakudala, ke siya kunamathela kwi-GNU/Linux.
Ukuvumela ukuguqulelwa kwedilesi akukho nzima kwaphela. Okokuqala kufuneka ubhalise umthetho kwiiptables kwitafile ye-nat:
iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -j SNAT --to <pool_start_addr>-<pool_end_addr> --persistent
Inkqubo yokusebenza iya kulayisha imodyuli ye-nf_conntrack, eya kubeka iliso kulo lonke uxhulumaniso olusebenzayo kwaye yenze utshintsho oluyimfuneko. Kukho izinto ezifihlakeleyo ezininzi apha. Okokuqala, kuba sithetha nge-NAT kwisikali somqhubi we-telecom, kuyafuneka ukuba kuhlengahlengiswe ixesha lokuphuma, kuba ngamaxabiso angagqibekanga ubungakanani betafile yokuguqulela buya kukhula ngokukhawuleza bube yintlekele. Ngezantsi ngumzekelo woseto endilusebenzisileyo kwiiseva zam:
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 8192 65535
net.netfilter.nf_conntrack_generic_timeout = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 45
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 60
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15
net.netfilter.nf_conntrack_checksum=0
Kwaye okwesibini, ekubeni ubungakanani obungagqibekanga betafile yokuguqulela ayenzelwanga ukusebenza phantsi kweemeko zomqhubi we-telecom, kufuneka yandiswe:
net.netfilter.nf_conntrack_max = 3145728
Kukwayimfuneko ukunyusa inani lamabhakethi etafile yehash egcina lonke usasazo (oku kukhetho kwimodyuli ye-nf_contrack):
options nf_conntrack hashsize=1572864
Emva kolu buchule bulula, uyilo olusebenzayo ngokupheleleyo lufunyenwe olunokuguqulela inani elikhulu leedilesi zabaxumi kwi-pool yangaphandle. Nangona kunjalo, ukusebenza kwesi sisombululo kushiya okuninzi okufunwayo. Kwiinzame zam zokuqala zokusebenzisa i-GNU/Linux ye-NAT (malunga no-2013), ndiye ndakwazi ukufumana ukusebenza malunga ne-7Gbit/s kwi-0.8Mpps ngeseva nganye (Xeon E5-1650v2). Ukususela ngelo xesha, ukulungelelaniswa okuninzi okuhlukeneyo kuye kwenziwa kwi-GNU / Linux kernel network stack, ukusebenza kweseva enye kwi-hardware efanayo kuye kwanda ukuya phantse kwi-18-19 Gbit / s kwi-1.8-1.9 Mpps (ezi yayingamaxabiso aphezulu) , kodwa imfuno yomthamo wezithuthi, eqhutywe ngumncedisi omnye ikhule ngokukhawuleza. Ngenxa yoko, izikimu zaphuhliswa ukulinganisa umthwalo kumaseva ahlukeneyo, kodwa konke oku kwandisa ubunzima bokuseka, ukugcina nokugcina umgangatho weenkonzo ezibonelelwayo.
Iifayile zeNFT
Kule mihla, imfashini yefashoni kwisoftware "iingxowa zokutshintsha" kukusetyenziswa kweDPDK kunye neXDP. Amanqaku amaninzi abhaliwe kwesi sihloko, iintetho ezininzi ezahlukeneyo zenziwe, kwaye iimveliso zorhwebo zibonakala (umzekelo, i-SKAT esuka kwiVasExperts). Kodwa xa kujongwe izixhobo zokucwangcisa ezilinganiselweyo zabaqhubi be-telecom, kuyingxaki ukwenza nayiphi na "imveliso" esekwe kwezi zikhokelo ngokwakho. Kuya kuba nzima ngakumbi ukusebenzisa isisombululo esinjalo kwixesha elizayo; ngakumbi, izixhobo zokuxilonga kuya kufuneka ziphuhliswe. Ngokomzekelo, i-tcpdump eqhelekileyo kunye ne-DPDK ayiyi kusebenza ngolo hlobo, kwaye ayiyi "kubona" iipakethi ezithunyelwe emva kweengcingo usebenzisa i-XDP. Ngaphakathi kwayo yonke intetho malunga neetekhnoloji ezintsha zokuhambisa ipakethe kwindawo yomsebenzisi, azizange ziqatshelwe. и U-Pablo Neira Ayuso, umgcini we-iptables, malunga nokuphuhliswa kokuthuthwa kokuhamba kwii-nftables. Makhe sihlolisise le ndlela.
Ingcamango ephambili kukuba ukuba i-router idlulise iipakethi ukusuka kwiseshoni enye kuzo zombini izikhokelo zokuhamba (iseshoni ye-TCP yangena kwi-STABLISHED state), ngoko akukho mfuneko yokudlula iipakethi ezilandelayo zale seshoni kuyo yonke imithetho ye-firewall, kuba zonke ezi zitshekisho zisaza kuphela ngepakethi ekhutshelwe phambili kwindlela. Kwaye akukho mfuneko yokuba sikhethe indlela - sele sisazi ukuba kowuphi ujongano kwaye kowuphi umamkeli ekufuneka sithumele iipakethi kule seshoni. Ekuphela kwento eseleyo kukugcina olu lwazi kwaye ulusebenzisele umzila kwinqanaba lokuqala lokusetyenzwa kwepakethi. Xa usenza i-NAT, kuyimfuneko ukongezelela ukugcina ulwazi malunga notshintsho kwiidilesi kunye namachweba aguqulelwe yimodyuli ye-nf_conntrack. Ewe, kunjalo, kule meko amapolisa ahlukeneyo kunye nolunye ulwazi kunye nemithetho yezibalo kwi-iptables ukuyeka ukusebenza, kodwa ngaphakathi kwesakhelo somsebenzi wokuma okwahlukileyo NAT okanye, umzekelo, umda, oku akubalulekanga kangako, kuba iinkonzo zisasazwa kuzo zonke izixhobo.
Isimo
Ukusebenzisa lo msebenzi sifuna:
- Sebenzisa i-kernel entsha. Ngaphandle kwento yokuba umsebenzi ngokwawo uvele kwi-kernel 4.16, ixesha elide "yayiluhlaza" kwaye ibangela uloyiko lwe-kernel. Yonke into yazinza ngoDisemba ka-2019, xa ii-LTS kernels 4.19.90 kunye ne-5.4.5 zakhululwa.
- Phinda ubhale imithetho ye-iptables kwifomati ye-nftables usebenzisa inguqulelo yamva nje yee-nftables. Isebenza kanye kuguqulelo 0.9.0
Ukuba yonke into ngomgaqo icacile kunye nenqaku lokuqala, into ephambili ayiyikulibala ukubandakanya imodyuli kuqwalaselo ngexesha lendibano (CONFIG_NFT_FLOW_OFFLOAD=m), ke inqaku lesibini lifuna ingcaciso. imithetho ye-nftables ichazwa ngokwahlukileyo ngokupheleleyo kunee-iptables. ityhila phantse zonke iingongoma, kukho ezikhethekileyo imithetho ukusuka kwiptables ukuya kwi-nftables. Ke ngoko, ndiza kunika kuphela umzekelo wokuseta i-NAT kunye nokuhamba kokukhuphela. Ilivo elincinci umzekelo: , - ezi ludibaniso lwenethiwekhi apho i-traffic idlula khona; enyanisweni kunokubakho ngaphezu kwesibini kuzo. , — idilesi yokuqala neyokuphela yoluhlu lweedilesi “ezimhlophe”.
Ubumbeko lwe-NAT lulula kakhulu:
#! /usr/sbin/nft -f
table nat {
chain postrouting {
type nat hook postrouting priority 100;
oif <o_if> snat to <pool_addr_start>-<pool_addr_end> persistent
}
}
Ngokukhutshwa kokuhamba kuntsonkothile ngakumbi, kodwa kuyaqondakala:
#! /usr/sbin/nft -f
table inet filter {
flowtable fastnat {
hook ingress priority 0
devices = { <i_if>, <o_if> }
}
chain forward {
type filter hook forward priority 0; policy accept;
ip protocol { tcp , udp } flow offload @fastnat;
}
}
Oko, enyanisweni, lulungiselelo lonke. Ngoku zonke i-TCP / UDP traffic ziya kuwela kwitafile ye-fastnat kwaye iqhutywe ngokukhawuleza.
Iziphumo
Ukwenza kucace ukuba "ukukhawuleza kangakanani" oku, ndiya kuqhoboshela umfanekiso weskrini womthwalo kwiiseva ezimbini zokwenyani, kunye ne-hardware efanayo (Xeon E5-1650v2), iqwalaselwe ngokufanayo, isebenzisa i-Linux kernel efanayo, kodwa yenza i-NAT kwiiptables. (NAT4) kunye nee-nftables (NAT5).
Akukho grafu yeepakethi ngesekhondi kwiscreenshot, kodwa kwiprofayile yomthwalo wezi seva umyinge wepakethe yesayizi ujikeleze i-800 bytes, ngoko ke amaxabiso afikelela kwi-1.5Mpps. Njengoko ubona, iseva ene-nftables inokugcinwa komsebenzi omkhulu. Okwangoku, le seva isebenza ukuya kuthi ga kwi-30Gbit / s kwi-3Mpps kwaye ngokucacileyo iyakwazi ukuhlangabezana nomda wenethiwekhi ye-40Gbps, ngelixa inezixhobo ze-CPU zamahhala.
Ndiyathemba ukuba le nto iya kuba luncedo kwiinjineli zenethiwekhi ezizama ukuphucula ukusebenza kweeseva zabo.
umthombo: www.habr.com