Njengoba amakheli e-IPv4 encipha, opharetha abaningi bezingcingo babhekene nesidingo sokuhlinzeka amakhasimende abo ngokufinyelela kwenethiwekhi besebenzisa ukuhumusha ikheli. Kulesi sihloko ngizokutshela ukuthi ungakuthola kanjani ukusebenza kwe-Carrier Grade NAT kumaseva wempahla.
Umlando omncane
Isihloko sokukhathala kwesikhala sekheli le-IPv4 asisemusha. Ngesinye isikhathi, kwavela uhlu lwabalindile ku-RIPE, kwase kuba ukushintshana lapho amakheli athengiswa khona futhi kwaphothulwa izivumelwano zokuwaqashisa. Kancane kancane, opharetha bezingcingo baqala ukuhlinzeka ngezinsizakalo zokufinyelela ku-inthanethi besebenzisa ikheli nokuhumusha ngembobo. Abanye abakwazanga ukuthola amakheli anele ukuze bakhiphe ikheli “elimhlophe” kumuntu ngamunye obhalisile, kuyilapho abanye baqala ukonga imali ngokwenqaba ukuthenga amakheli emakethe yesibili. Abakhiqizi bemishini yenethiwekhi basekela lo mbono, ngoba lokhu kusebenza ngokuvamile kudinga amamojula esandiso engeziwe noma amalayisense. Isibonelo, kulayini weJuniper wamarutha e-MX (ngaphandle kwe-MX104 ne-MX204 yakamuva), ungenza i-NAPT ekhadini lesevisi elihlukile le-MS-MIC, i-Cisco ASR1k idinga ilayisense ye-CGN, i-Cisco ASR9k idinga imojuli ehlukile ye-A9K-ISM-100 kanye nelayisensi ye-A9K-CGN -LIC kuye. Ngokuvamile, injabulo ibiza imali eningi.
I-IPTables
Umsebenzi wokwenza i-NAT awudingi izinsiza ezikhethekile zekhompiyutha; ingaxazululwa ngamaphrosesa enhloso ejwayelekile, afakiwe, ngokwesibonelo, kunoma iyiphi irutha yasekhaya. Esikalini somsebenzisi we-telecom, le nkinga ingaxazululwa kusetshenziswa amaseva wempahla asebenzisa i-FreeBSD (ipfw/pf) noma i-GNU/Linux (ama-iptables). Ngeke sicabangele iFreeBSD, ngoba... Ngiyeke ukusebenzisa le OS kudala, ngakho-ke sizonamathela ku-GNU/Linux.
Ukunika amandla ukuhunyushwa kwekheli akunzima neze. Okokuqala udinga ukubhalisa umthetho kuma-iptables kuthebula le-nat:
iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -j SNAT --to <pool_start_addr>-<pool_end_addr> --persistent
Isistimu yokusebenza izolayisha imojuli ye-nf_contrack, ezoqapha konke ukuxhumana okusebenzayo futhi yenze ukuguqulwa okudingekayo. Kukhona ubuqili abambalwa lapha. Okokuqala, njengoba sikhuluma nge-NAT esikalini se-telecom opharetha, kuyadingeka ukulungisa isikhathi sokuvala, ngoba ngamavelu azenzakalelayo usayizi wetafula lokuhumusha uzokhula ngokushesha abe amanani ayinhlekelele. Ngezansi isibonelo sezilungiselelo engizisebenzise kumaseva ami:
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 8192 65535
net.netfilter.nf_conntrack_generic_timeout = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 45
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 60
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15
net.netfilter.nf_conntrack_checksum=0
Okwesibili, njengoba usayizi ozenzakalelayo wethebula lokuhumusha ayakhelwe ukusebenza ngaphansi kwemibandela ye-telecom opharetha, udinga ukukhuliswa:
net.netfilter.nf_conntrack_max = 3145728
Kudingeka futhi ukukhulisa inani lamabhakede etafula le-hashi eligcina konke ukusakazwa (lokhu kuyinketho kumojula ye-nf_conntrack):
options nf_conntrack hashsize=1572864
Ngemuva kwalokhu kukhohlisa okulula, kutholakala umklamo osebenza ngokuphelele ongahumusha inombolo enkulu yamakheli amaklayenti echibini langaphandle. Nokho, ukusebenza kwalesi sixazululo kushiya okuningi okufanele ukwenze. Emizamweni yami yokuqala yokusebenzisa i-GNU/Linux ye-NAT (circa 2013), ngakwazi ukuthola ukusebenza cishe kwe-7Gbit/s ku-0.8Mpps ngeseva ngayinye (Xeon E5-1650v2). Kusukela ngaleso sikhathi, ukulungiselelwa okuningi okuhlukile kwenziwe kusitaki senethiwekhi ye-GNU/Linux kernel, ukusebenza kweseva eyodwa ku-hardware efanayo kukhuphuke kwacishe kwafinyelela ku-18-19 Gbit/s ku-1.8-1.9 Mpps (lokhu bekuyinani eliphakeme kakhulu. amanani), kodwa isidingo sevolumu yethrafikhi, ecutshungulwa yiseva eyodwa sakhula ngokushesha kakhulu. Ngenxa yalokho, amasu athuthukiswa ukulinganisa umthwalo kumaseva ahlukene, kodwa konke lokhu kwandise ubunzima bokusetha, ukugcina nokugcina ikhwalithi yezinsizakalo ezinikeziwe.
Amathebula we-NFT
Kulezi zinsuku, inkambiso yemfashini ku-software "izikhwama ezishintshayo" ukusetshenziswa kwe-DPDK ne-XDP. Kubhalwe izindatshana eziningi ngalesi sihloko, izinkulumo eziningi ezahlukene zenziwe, futhi kuvela imikhiqizo yokuthengisa (isibonelo, i-SKAT evela kuVasExperts). Kodwa uma kubhekwa izinsiza zokuhlela ezilinganiselwe zabasebenza ngocingo, kuyinkinga kakhulu ukudala noma yimuphi “umkhiqizo” ngokusekelwe kulezi zinhlaka uwedwa. Kuzoba nzima kakhulu ukusebenzisa isisombululo esinjalo esikhathini esizayo; ikakhulukazi, amathuluzi okuxilonga kuzodingeka athuthukiswe. Isibonelo, i-tcpdump ejwayelekile ene-DPDK ngeke isebenze kanjalo nje, futhi ngeke “ibone” amaphakethe abuyiselwe ezintanjeni kusetshenziswa i-XDP. Phakathi kwayo yonke inkulumo mayelana nobuchwepheshe obusha bokudlulisela amaphakethe esikhaleni somsebenzisi, awazange anakwe и U-Pablo Neira Ayuso, umnakekeli we-iptables, mayelana nokuthuthukiswa kokulayishwa kokugeleza kuma-nftables. Ake sihlolisise lo mshini.
Umqondo oyinhloko ukuthi uma i-router idlulise amaphakethe kusuka kuseshini eyodwa kuzo zombili izinkomba zokugeleza (iseshini ye-TCP ingene kusimo ESImisiwe), khona-ke asikho isidingo sokudlulisa amaphakethe alandelayo ale seshini kuyo yonke imithetho ye-firewall, ngoba konke lokhu kuhlola kusazophela lapho iphakethe lidluliselwa phambili kumzila. Futhi empeleni asikho isidingo sokukhetha umzila - sesiyazi kakade ukuthi iyiphi i-interface nokuthi yimuphi umsingathi okudingeka sithumele amaphakethe phakathi kwale seshini. Okusele ukugcina lolu lwazi futhi ulusebenzisele umzila kusenesikhathi sokucutshungulwa kwephakethe. Lapho wenza i-NAT, kuyadingeka ukuthi ngaphezu kwalokho ugcine ulwazi mayelana nezinguquko kumakheli nezimbobo ezihunyushwe yimojula ye-nf_conntrack. Yebo, yiqiniso, kulokhu amaphoyisa ahlukahlukene kanye nolunye ulwazi kanye nemithetho yezibalo kuma-iptables ayeke ukusebenza, kodwa ngaphakathi kohlaka lomsebenzi wokuma okuhlukile we-NAT noma, isibonelo, umngcele, lokhu akubalulekile kangako, ngoba izinsizakalo asatshalaliswa phakathi kwamadivaysi.
Ukucushwa
Ukuze sisebenzise lo msebenzi sidinga:
- Sebenzisa i-kernel entsha. Naphezu kokuthi ukusebenza ngokwayo kuvele ku-kernel 4.16, isikhathi eside "yayiluhlaza" futhi ibangela ukwethuka kwe-kernel. Yonke into yazinza ngoDisemba 2019, lapho kukhishwa ama-LTS kernels 4.19.90 kanye no-5.4.5.
- Bhala kabusha imithetho ye-iptables ngefomethi ye-nfttables usebenzisa inguqulo yakamuva yama-nfttables. Isebenza ncamashi kunguqulo 0.9.0
Uma yonke into ngomgomo icacile ngephuzu lokuqala, into esemqoka ukungakhohlwa ukufaka imojuli ekucushweni ngesikhathi somhlangano (CONFIG_NFT_FLOW_OFFLOAD=m), khona-ke iphuzu lesibili lidinga incazelo. imithetho ye-nftables ichazwa ngokuhluke ngokuphelele kunama-iptables. wembula cishe wonke amaphuzu, kukhona futhi ekhethekile imithetho kusuka ku-iptables kuya ku-nfttables. Ngakho-ke, ngizonikeza kuphela isibonelo sokusetha i-NAT nokugeleza kokulayisha. Inganekwane encane isibonelo: , - lezi yizindawo zenethiwekhi okudlula kuzo ithrafikhi; empeleni kungaba ngaphezulu kokubili kwakho. , — ikheli lokuqala nelokugcina lohlu lwamakheli “amhlophe”.
Ukucushwa kwe-NAT kulula kakhulu:
#! /usr/sbin/nft -f
table nat {
chain postrouting {
type nat hook postrouting priority 100;
oif <o_if> snat to <pool_addr_start>-<pool_addr_end> persistent
}
}
Ngokulayishwa kokugeleza kuyinkimbinkimbi, kodwa kuyaqondakala:
#! /usr/sbin/nft -f
table inet filter {
flowtable fastnat {
hook ingress priority 0
devices = { <i_if>, <o_if> }
}
chain forward {
type filter hook forward priority 0; policy accept;
ip protocol { tcp , udp } flow offload @fastnat;
}
}
Lokho, empeleni, isethi yonke. Manje yonke ithrafikhi ye-TCP/UDP izowela etafuleni le-fastnat futhi icutshungulwe ngokushesha okukhulu.
Imiphumela
Ukuze kucace ukuthi lokhu "kushesha kangakanani", ngizonamathisela isithombe-skrini somthwalo kumaseva amabili wangempela, nge-hardware efanayo (Xeon E5-1650v2), elungiselelwe ngendlela efanayo, kusetshenziswa i-Linux kernel efanayo, kodwa ngenza i-NAT kuma-iptables. (NAT4) naku-nftables (NAT5).
Ayikho igrafu yamaphakethe ngomzuzwana kusithombe-skrini, kodwa kuphrofayela yokulayisha yalezi ziphakeli isilinganiso sosayizi wephakethe singamabhayithi angu-800, ngakho amanani afinyelela ku-1.5Mpps. Njengoba ubona, iseva enama-nftables inokugcinwa okukhulu kokusebenza. Okwamanje, le seva isebenza kuze kufike ku-30Gbit/s ku-3Mpps futhi iyakwazi ngokusobala ukuhlangabezana nomkhawulo wenethiwekhi ebonakalayo engu-40Gbps, kuyilapho inezinsiza zamahhala ze-CPU.
Ngethemba ukuthi le nto izoba usizo konjiniyela benethiwekhi abazama ukuthuthukisa ukusebenza kwamaseva abo.
Source: www.habr.com