1 引言
在使用Keepalived部署DNS(nsd)高可用集群时,不使用LVS,仅仅使用Keepalived实现双主模式,在另外一台服务器发起dig,出现reply from unexpected source。
dig @192.168.0.51 www.example.com
;; reply from unexpected source: 192.168.0.3#53, expected 192.168.0.51#53
192.168.0.51未VIP,192.168.0.3为网卡原始ip
在服务器上抓包,的确收到目的地址为192.168.0.51的报文,但是回复报文的源IP却变为192.168.0.3,但是奇怪一点的是使用tcp模式发起dig请求却是正常的。
2 IP_TRANSPARENT简介
经过网络了解,发现有个socket选项IP_TRANSPARENT是针对类似问题,查看Linux manual有:
IP_TRANSPARENT (since Linux 2.6.24)
Setting this boolean option enables transparent proxying on
this socket. This socket option allows the calling applica‐
tion to bind to a nonlocal IP address and operate both as a
client and a server with the foreign address as the local end‐
point. NOTE: this requires that routing be set up in a way
that packets going to the foreign address are routed through
the TProxy box (i.e., the system hosting the application that
employs the IP_TRANSPARENT socket option). Enabling this
socket option requires superuser privileges (the CAP_NET_ADMIN
capability).
TProxy redirection with the iptables TPROXY target also
requires that this option be set on the redirected socket.
简单来说,使用这个选项可以socket绑定一个非本地的地址,实现所谓的透明代理(TProxy, Transparent Proxy),通过Keepalived实现IP漂移时,VIP就是一个nonlocal IP,这段文字还是很难理解,包括解释不了为什么TCP可以而UDP却不可以的疑问,不过可以参考PowerDNS的一篇文章Linux transparent proxy support,解释的比较清楚。
3 IP_TRANSPARENT使用示例
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <iostream>
int create_other_sock()
{
//
int fd = socket(AF_INET, SOCK_DGRAM, 0);
int ret = 0;
int value = 1;
ret = setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value));
if(ret != 0)
{
std::cout << "setsockopt IP_TRANSPARENT failed" << std::endl;
std::cout << strerror(errno) << std::endl;
exit(1);
}
// local address is not belong the local machine
struct sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(53);
uint32_t addr_local = 0;
ret = inet_pton(AF_INET, "192.168.50.100", &addr_local);
if(ret != 1)
{
std::cout << "inet_pton failed" << std::endl;
close(fd);
exit(1);
}
addr.sin_addr.s_addr = addr_local;
ret = bind(fd, (struct sockaddr*)&addr, sizeof(addr));
if(ret !=0)
{
std::cout << strerror(errno) << std::endl;
std::cout << "bind failed" << std::endl;
exit(1);
}
return fd;
}
int main()
{
int fd_other = create_other_sock();
for(;;)
{
char buf[1024] = {0};
struct sockaddr_in remote_addr;
memset(&remote_addr, 0, sizeof(remote_addr));
socklen_t addr_len;
int len = recvfrom(fd_other, buf, 1024, 0, (struct sockaddr*)&remote_addr, &addr_len);
std::cout << "len = " << len << std::endl;
sendto(fd_other, buf, len, 0, (struct sockaddr*)&remote_addr, addr_len);
}
return 0;
};
发现使用了IP_TRANSPARENT可以绑定任意一个IP地址,包括8.8.8.8从而实现流量拦截。
3 nsd配置使用IP_TRANSPARENT
nsd.conf配置里有IP_TRANSPARENT的选项,
ip-address: 192.168.0.52
ip-address: 192.168.0.51
# Allow binding to non local addresses. Default no.
ip-transparent: yes
配置了重启nsd,再次dig就不会出现之前描述的问题,并且需要注意的是使用IP_TRANSPARENT监听IP列表里必须指明VIP列表,否则还是会出现问题。
网友评论