容器云负载均衡之四:IPVS内核网络参数的配置

释放双眼,带上耳机,听听看~!

一、前言

IPVS Direct Routing模式由于其机制的特殊性,需要在Director和real server上进行一些必要的内核参数配置来达到其特殊的VIP部署要求。

在Director上需要配置的参数如下:


1
2
3
4
5
1net.ipv4.ip_forward = 1  
2net.ipv4.conf.all.send_redirects = 0  
3net.ipv4.conf.default.send_redirects = 0  
4net.ipv4.conf.ens33.send_redirects = 0
5

在real server上配置的参数如下:


1
2
3
4
5
1net.ipv4.conf.all.arp_ignore = 1  
2net.ipv4.conf.all.arp_announce = 2  
3net.ipv4.conf.ens33.arp_ignore = 1  
4net.ipv4.conf.ens33.arp_announce = 2  
5

转载自https://blog.csdn.net/cloudvtech

二、Director上配置的参数释义

2.1 数据包转发

net.ipv4.ip_forward = 1 

开启数据包转发。Linux系统默认是禁止数据包转发的,从网卡进入的包默认是在本机被终结的,作为IPVS的director需要作为VIP接入点将数据包转发的后端其它机器,所以需要开启director的数据包转发功能,将net.ipv4.ip_forward设置成1就可以达到这个目的。

2.2 发送重定向

net.ipv4.conf.all.send_redirects = 0  
net.ipv4.conf.default.send_redirects = 0  
net.ipv4.conf.ens33.send_redirects = 0 

关闭发送重定向。如果主机所在的网络有多个路由器,系统将其中一个设为缺省网关,但该网关在收到主机发送ip包时,发现该ip包必须经过另外一个路由器,于是该网关就給你的主机发一个“重定向”的icmp包,告诉主机把包转发到另外一个路由器。1表示主机接受这样的重定向包,0表示忽略;linux默认是1,IPVS使用转发功能时候设置为0以消除隐患。

三、Real server上配置的参数释义

3.1 net.ipv4.conf.all.arp_ignore = 1 和 net.ipv4.conf.ens33.arp_ignore = 1


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
1arp_ignore - INTEGER
2   Define different modes for sending replies in response to
3   received ARP requests that resolve local target IP addresses:
4   0 - (default): reply for any local target IP address, configured
5   on any interface
6   1 - reply only if the target IP address is local address
7   configured on the incoming interface
8   2 - reply only if the target IP address is local address
9   configured on the incoming interface and both with the
10  sender's IP address are part from same subnet on this interface
11  3 - do not reply for local addresses configured with scope host,
12  only resolutions for global and link addresses are replied
13  4-7 - reserved
14  8 - do not reply for all local addresses
15

在设置参数的时候将arp_ignore设置为1,则当ARP请求过来的时候,如果接收ARP请求的网卡上面没有这个IP,就不做出响应;如果arp_ignore设置为0,则只要主机上面任何一个网卡上面有这个IP,就会响应ARP请求发送MAC地址。因为在IPVS的设置中,VIP是绑定在lo上的,所以在设置net.ipv4.conf.ens33.arp_ignore = 1之后,对于任何从该网卡过来查询VIP的ARP请求都不予响应。

**3.2 net.ipv4.conf.all.arp_announce = 2 和 net.ipv4.conf.ens33.arp_announce = 2  **


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
1arp_announce - INTEGER
2   Define different restriction levels for announcing the local
3   source IP address from IP packets in ARP requests sent on
4   interface:
5   0 - (default) Use any local address, configured on any interface
6   1 - Try to avoid local addresses that are not in the target's
7   subnet for this interface. This mode is useful when target
8   hosts reachable via this interface require the source IP
9   address in ARP requests to be part of their logical network
10  configured on the receiving interface. When we generate the
11  request we will check all our subnets that include the
12  target IP and will preserve the source address if it is from
13  such subnet. If there is no such subnet we select source
14  address according to the rules for level 2.
15  2 - Always use the best local address for this target.
16  In this mode we ignore the source address in the IP packet
17  and try to select local address that we prefer for talks with
18  the target host. Such local address is selected by looking
19  for primary IP addresses on all our subnets on the outgoing
20  interface that include the target IP address. If no suitable
21  local address is found we select the first local address
22  we have on the outgoing interface or on all other interfaces,
23  with the hope we will receive reply for our request and
24  even sometimes no matter the source IP address we announce.
25

Real server在向客户端发送响应的时候,需要发送ARP请求来获取网关的MAC地址,这个ARP请求必须要包含real server的IP地址和MAC地址。Linux默认使用要发送数据包的源IP地址作为ARP请求的IP地址,在IPVS Driect Routing模式下,每个real server都会在lo绑定VIP,返回数据包的源地址是VIP,所以包含VIP和相应出口NIC的MAC的ARP包会发送给网关,这时候,网关就会更新本地的ARP缓存,将VIP和这个real server的MAC进行匹配,造成IP欺骗,VIP也被这个real server抢夺。

设置net.ipv4.conf.ens33.arp_announce = 2会保证在real server向网关发送ARP请求的时候,使用出口网卡的IP而不是绑定在lo上面的VIP,从而避免IP欺骗。

转载自https://blog.csdn.net/cloudvtech

给TA打赏
共{{data.count}}人
人已打赏
安全经验

如何避免Adsense违规封号

2021-10-11 16:36:11

安全经验

安全咨询服务

2022-1-12 14:11:49

个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索