IPVS FULLNAT and SYNPROXY

alibaba-LVS版本发布

转至"运维生存时间": http://www.ttlsa.com/news/alibaba-lvs-publish/

2013年7月15日 默北

新功能有: 1. FullNAT: A new packet forwarding method for IPVS, other than DR/NAT/TUNNEL The main principle is as follows: the module introduces local ip address (IDC internal ip address, lip), IPVS translates cip-vip to/from lip-rip, in which lip and rip both are IDC internal ip address, so that LVS load balancer and real servers can be in different vlans, and real servers only need to access internal network. See Virtual Server via Full NAT for more information. FULLNAT是一种新的转发模式。主要思想:引入local address(内网ip地址),cip-vip转换为lip->rip,而 lip和rip均为IDC内网ip,可以跨vlan通讯。

2. SYNPROXY: Defence module against synflooding attack The main principle: based on tcp syncookies, please refer to http://en.wikipedia.org/wiki/SYN_cookies; SYNPROXY用于防御synflood攻击。主要思想:参照linux tcp协议栈中syncookies癿思想,LVS-构造特殊seq癿synack包,验证ack包中ack_seq是否合法-实现了TCP三次握手代理。