Ipvs Study Notes (2)

3.6,IpvsPacket transmission

The packet in ipvs connection is sent by ip_vs_bind_xmit ()(Net \ netfilter \ ipvs\Ip_vs_conn.cMedium)Function Definition. Specific function definition for sending data packetsInNet \ netfilter \ s \ ip_vs_xmit.cFile

Int

Ip_vs_nat_xmit (struct sk_buff * SKB, struct ip_vs_conn * CP,

Struct ip_vs_protocol * pp)

Nat sends data only to the request direction.

Int

Ip_vs_tunnel_xmit (struct sk_buff * SKB, struct ip_vs_conn * CP,

Struct ip_vs_protocol * pp)

Tunnel is used to add the original IP address to an IP address protocol (4). the destination IP address of the new header is the real destination server, and the source IP address is the real client IP address, this package can be routed, and the server's response package will be directly routed back without passing through ipvs.

Int

Ip_vs_dr_xmit (struct sk_buff * SKB, struct ip_vs_conn * CP,

Struct ip_vs_protocol * pp)

The destination MAC address in the original SKB package is changed to the MAC address of the destination server and then sent directly. Therefore, it cannot be routed, the ipvs server and the target server must be physically in the same L2 subnet. In Dr mode, ipvs and the server are configured with the same VIP address for external services, and the server is configured with its own real IP address, however, noarp information in the NIC attribute with the VIP address on the server is enabled, that is, the NIC does not respond to ARP information, but can receive packets that reach the VIP address, in this way, the request packet first goes to the ipvs balancer, because ipvs VIP responds to ARP, and then finds a server based on scheduling, and uses the real IP address of the server to determine the route, then, the package is directly sent out, and all the data in the package is not modified, because the VIP address on the destination server meets the destination address in the package, so you can receive the package.

Int

Ip_vs_bypass_xmit (struct sk_buff * SKB, struct ip_vs_conn * CP,

Struct ip_vs_protocol * pp)

In bypass mode, the actual data packet is not sent to the ipvs balancer, and is forwarded by ipvs.

Int

Ip_vs_icmp_xmit (struct sk_buff * SKB, struct ip_vs_conn * CP,

Struct ip_vs_protocol * PP, int offset, unsigned int hooknum)

Send various ICMP error packets

 

3. 7,IpvsApplication Management

Ipvs is used to process multi-connection protocols such as ftp. Due to the special nature of the Multi-connection protocol, any connection-based processing module, such as ipvs, netfilter and so on must be specially processed for these protocols, but ipvs is not as perfect as netfilter. Currently, only FTP protocol is supported, netfilter supports multiple multi-connection protocols such as FTP, TFTP, IRC, Amanda, MMS, sip, and H.323.

 

Ipvs application is also modular, but its implementation is a bit special. For each application protocol, a static struct ip_vs_app structure will be defined as a template. When you register this Protocol later, the corresponding application pointer does not direct to this static structure, but instead allocates a new struct ip_vs_app structure. The struct ip_vs_app pointer in the structure points to this static structure, then, the newly allocated structure is connected to the static struct ip_vs_app structure to implement the linked list and the IP protocol application hash linked list. This implementation method is completely different from netfilter.

 

Ipvs applies some shared processing functions defined in net \ netfilter \ ipvs \ ip_vs_app.c. The processing of other protocols is handled by their respective files, such as net \ netfilter \ ipvs \ ip_vs_ftp.c.

 

3. 8,IpvsMaster-slave Synchronization

Ipvs supports connection synchronization. The two S devices can run on Master or backup respectively, and the master process can back up connection information to the backup device, in this way, the master device can seamlessly switch from the device when it crashes.

The master and backup processes can be started on the ipvs device at the same time, so that the devices are backed up to each other and the ipvs device is balanced.

 

S synchronization is implemented in net \ netfilter \ ipvs \ ip_vs_sync.c

 

3. 9,IpvsEstimator

The S estimator uses an estimation of the connection rate within a short interval to enable a daemon in the user space to regularly read the value of the estimator for a long period of time.

EstimateAlgorithmIs:

Take a sample point every two seconds within the last 8 seconds for smooth processing:

Avgrate = avgrate * (1-W) + rate * w

W = 2 ^ (-2) = 0.25, and the Unit is Kbytes/s.

 

EstimateCodeIn net \ netfilter \ ipvs \ ip_vs_est.c.

 

3. 10,Ipvs/Proc Parameters

IpvsThe following files are created in the/proc directory:

/Proc/NET:

/Proc/NET/ip_vs: rule table of ipvs

/Proc/NET/ip_vs_app: ipvs application protocol

/Proc/NET/ip_vs_conn: ipvs current connection

/Proc/NET/ip_vs_stats: s status statistics

/Proc/sys/NET/IPv4/:

/Proc/sys/NET/IPv4/VS/am_droprate: Packet Loss Rate (10 by default)

/Proc/sys/NET/IPv4/VS/amemthresh: available memory threshold (1024 by default)

/Proc/sys/NET/IPv4/VS/cache_bypass: whether to establish a bypass cache entry

/Proc/sys/NET/IPv4/VS/debug_level: debug level

/Proc/sys/NET/IPv4/VS/drop_entry: confirm the connection deletion processing level.

/Proc/sys/NET/IPv4/VS/drop_packet: packet loss level

/Proc/sys/NET/IPv4/VS/expire_nodest_conn: whether to delete a connection without a target server

/Proc/sys/NET/IPv4/VS/lblc_expiration: expiration time of the lblc algorithm (1 day by default)

/Proc/sys/NET/IPv4/VS/lblcr_expiration: expiration time of the lblcr algorithm (1 day by default)

/Proc/sys/NET/IPv4/VS/nat_icmp_send: Send an ICMP packet when a connection exception occurs in Nat mode.

/Proc/sys/NET/IPv4/VS/secure_tcp: safer TCP status conversion

/Proc/sys/NET/IPv4/VS/sync_threshold: Threshold Value of the number of packets during synchronization.

/Proc/sys/NET/IPv4/VS/timeout_close: tcp scl status timeout

/Proc/sys/NET/IPv4/VS/timeout_closewait: tcp scw status timeout

/Proc/sys/NET/IPv4/VS/timeout_established: tcp ses Status timeout

/Proc/sys/NET/IPv4/VS/timeout_finwait: tcp sfw status timeout

/Proc/sys/NET/IPv4/VS/timeout_icmp: ICMP timeout

/Proc/sys/NET/IPv4/VS/timeout_lastack: tcp sla status timeout

/Proc/sys/NET/IPv4/VS/timeout_listen: tcp sli status timeout

/Proc/sys/NET/IPv4/VS/timeout_synack: tcp ssa status timeout

/Proc/sys/NET/IPv4/VS/timeout_synrecv: tcp ssr status timeout

/Proc/sys/NET/IPv4/VS/timeout_synsent: tcp sss status timeout

/Proc/sys/NET/IPv4/VS/timeout_timewait: tcp stw status timeout

/Proc/sys/NET/IPv4/VS/timeout_udp: UDP timeout

 

3. 11,IpvsControl

IpvsControls include defining virtual service parameters provided by ipvs and various parameters such as the actual target server.

IpvsThe control information is transmitted to the kernel through the setsockopt system call,IpvsThe management tool at the user layer is ipvsadm.

AboutIpvsThe control code is in net \ netfilter \ s \ ip_vs_ctl.c.

 

3. 11.1,Register sockopt

Static struct nf_sockopt_ops ip_vs_sockopts = {

. PF = pf_inet,

. Set_optmin = ip_vs_base_ctl,

. Set_optmax = ip_vs_so_set_max + 1,

. Set = do_ip_vs_set_ctl,

. Get_optmin = ip_vs_base_ctl,

. Get_optmax = ip_vs_so_get_max + 1,

. Get = do_ip_vs_get_ctl,

. Owner = this_module,

};

Use the netfilter struct nf_sockopt_ops structure to add

InInt _ init ip_vs_control_init (void)Function call

Ret = nf_register_sockopt (& ip_vs_sockopts );To registerSockopt

Static int

Do_ip_vs_set_ctl (struct sock * SK, int cmd, void _ User * user, unsigned int Len)

Write Control

Static int

Do_ip_vs_get_ctl (struct sock * SK, int cmd, void _ User * user, int * Len)

Read Control

 

3. 11.2, Service Control

Static int

Ip_vs_add_service (struct net * Net, struct ip_vs_service_user_kern * u,

Struct ip_vs_service ** svc_p)

Add Service

Static int

Ip_vs_edit_service (struct ip_vs_service * SVC, struct ip_vs_service_user_kern * U)

Modify the service and bind a new Scheduler

Static int ip_vs_del_service (struct ip_vs_service * SVC)

Delete a service

Static int ip_vs_flush (struct net * Net)

Delete all services

Static int ip_vs_zero_service (struct ip_vs_service * SVC)

Clear Service Counters

 

3. 11.3Real Server Management

Static int

Ip_vs_add_dest (struct ip_vs_service * SVC, struct ip_vs_dest_user_kern * udest)

Add a Real Server to an existing virtual service

Static int

Ip_vs_new_dest (struct ip_vs_service * SVC, struct ip_vs_dest_user_kern * udest,

Struct ip_vs_dest ** dest_p)

Create a real server structure in a virtual service

Static int

Ip_vs_edit_dest (struct ip_vs_service * SVC, struct ip_vs_dest_user_kern * udest)

Modify Real Server

Static int

Ip_vs_del_dest (struct ip_vs_service * SVC, struct ip_vs_dest_user_kern * udest)

Delete A Real Server from a virtual service

Static void _ ip_vs_del_dest (struct net * Net, struct ip_vs_dest * DEST)

Delete A Real Server (it must have been unbound from the virtual service)

Static void _ ip_vs_unlink_dest (struct ip_vs_service * SVC,

Struct ip_vs_dest * DEST,

Int svcupd)

Unbind A Real Server from a virtual service

 

3. 11.4,Defense level adjustment

Static void defense_work_handler (struct work_struct * Work)

Timed processing functions

Static void update_defense_level (struct netns_ipvs * ipvs)

To update the protection level of ipvs, you need to use some control parameters defined in/proc.

 

4, Learning Summary

For Linux For those who do not know about the kernel Ipvs And Ipvsadm Code may be confused, but preliminary understanding of kernel programming and reading Yfydz Implementation Analysis Series of the bossArticleThen, I was shocked. Ipvs Struct definition and function implementation are clear at a glance. Some key details have not yet been thoroughly viewed, but the key points can be located. Ipvsadm And Ipvs Communication Setsockopt Implementation: Check the padding of some struct and data transmission between the user layer and the kernel to provide an intuitive understanding of the control workflow. The last part of the mining is the data packet modification function and the Algorithm Implementation of the scheduling policy. Ipvs Is familiar with the code implementation. I hope the list of functions I have compiled will be helpful to you. Yfydz The comments in the main article are a little dizzy. Please follow up and check the comments you need to know. Thank you. Ipvs Author and Yfydz Technology sharing.