-
Notifications
You must be signed in to change notification settings - Fork 32
/
README
107 lines (83 loc) · 4.43 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
=== BUILDING ===
These packages supply an Iptables plugin and kernel module and that
allow rewriting of the destination IP address for IPv4 and IPv6.
To build the packages (RPMs) for your OS, type:
$ make
RPMs will be in:
$ ls -l build-*/RPMS/* build-src/SRPMS
In this release, RHEL4, RHEL5, RHEL6, and Fedora 17 are directly
supported. When typing "make" on one of these systems, the build
environment should just (hopefully) do the right thing for you.
Even if on different system, but closely related, it should still
work for you. You may want to read further though if you need to
tune or alter the build environment or if you're on a different
build system than one of the supported and tested ones and your
build breaks.
When building natively (the binary RPMs are built in the host
environment), the script "config-native" will be invoked to create
a "config-native.mk" file for you with its best guess at how to
configure the build environment for your system.
The script firest determines what operating system to build for
by setting the PLATFORMS, OSMACRO_* and OSMACROVER_* macros. The
values of these macros correspond to the same settings used by the
OpenSUSE Build Service. See:
http://en.opensuse.org/openSUSE:Build_Service_cross_distribution_howto.
You'll see the values of these macros passed to rpmbuild and are
used by the "iptables-daddr.spec" spec file to control which sources
are selected to build based on which versions of iptables and kernel
are in use by the selected OS.
The script also examines the currently installed kernel devel
packages for the kernel variants (kvariants) to build by setting the
KVARIANTS_* macro. If you want to change which kernel it looks for,
use the -r option. If you want to limit which kvariants it looks
for, use the -k option. For example:
$ uname -r
2.6.9-101.EL
$ rpm -qa | grep kernel | grep devel
kernel-largesmp-devel-2.6.9-100.EL
kernel-devel-2.6.9-101.EL
kernel-smp-devel-2.6.9-101.EL
kernel-xenU-devel-2.6.9-101.EL
By default using "uname -r", config-native would select the
kvariants for 2.6.9-101.EL which are '"" smp xenU".
If invoking "./config-native -r 2.6.9-100.EL", it would only select
kvariants for 'largesmp' since kernel-largesmp-devel is only
installed for that kernel (and would also add an additional macro
Kverrel_* for selecting that kernel to build for).
If invoking "./config-native -k '"" xenU'", it would only select the
kvariants for '"" xenU' ignoring smp.
You can control the arguments to config-native when calling "make"
by setting the CONFIG_ARGS variable. For example:
$ make CONFIG_ARGS="-r 2.6.9-101.EL -k '\"\" xenU'
If you change "config-native" to support a system other than the
ones listed above, please send me your patches.
For systems not using yum and rpm, porting will be more complex,
primarily changing the "mk/Makefile.build" and "mk/Makefile.sub"
files. If you make changes to port to other systems that can be
folded back into the existing build system, please send me your
patchset for review.
=== USING ===
A practical application of this software is to do L3DSR (Level 3
Direct Server Return). For an overview, see Jan Schaumann's slides,
l3dsr/docs/nanog51.pdf.
For example, to use iptables-daddr you have two Load Balancers (LBs)
with two VIPs (e.g. 72.30.38.140 and 98.139.183.24) and several
servers behind them. The LBs must be able to rewrite the DSCP field
of incoming, forwarded packets (or in some way mark the packets such
that an iptables match rule on the servers can identify them).
For example, the first VIP will set the DSCP field to 1 for its
packets going to the servers, where the second VIP will set the
DSCP field to 2. This will allow the servers to know what to set
the destination address to in reply packets they send directly
to client machines.
On each server, create lookback interfaces corresponding to the VIPs
and iptables rules to set the return address on the packets:
# ifconfig lo:1 72.30.38.140 netmask 255.255.255.255
# ifconfig lo:2 98.139.183.24 netmask 255.255.255.255
# iptables -t mangle -A INPUT -m dscp --dscp 1 -j DADDR --set-daddr=72.30.38.140
# iptables -t mangle -A INPUT -m dscp --dscp 2 -j DADDR --set-daddr=98.139.183.24
An example for IPv6:
# ifconfig lo:3 add fc00:1000:0:6::10/128
# ifconfig lo:4 add fc00:1000:0:6::21/128
# ip6tables -t mangle -A INPUT -m dscp --dscp 10 -j DADDR --set-daddr=fc00:1000:0:6::10
# ip6tables -t mangle -A INPUT -m dscp --dscp 11 -j DADDR --set-daddr=fc00:1000:0:6::21