Layer7 IMQ Route Multipath Loadbalance Debian Lenny 2.6.28

From MS Computech
Jump to: navigation, search

Debian Lenny, Clarkconnect Enterprise 4.3 Kernel 2.6.28, iptables 1.4.2 IMQ Route_Multipath patch contribute and test by [email protected] June 13 2009( Update 11 July 2009 )

Debian
[root@gateway ~]# apt-get install gzip unzip bzip2
[root@gateway ~]# apt-get install debhelper screen fakeroot zlib1g-dev build-essential libncurses5-dev kernel-package
Clarkconnect 4.3
[root@gateway ~]# apt-get install cc-devel

ดาวโหลด Package 

[root@gateway ~]# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.bz2
[root@gateway ~]# wget http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.21.tar.gz
[root@gateway ~]# wget http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2009-05-28.tar.gz
[root@gateway ~]# wget http://www.ssi.bg/~ja/routes-2.6.28-16.diff
[root@gateway ~]# wget http://www.linuximq.net/patchs/linux-2.6.28.9-imq-test2.diff
[root@gateway ~]# wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.2.tar.bz2

แตกไฟล์ออกมา 

[root@gateway ~]# tar xjfv linux-2.6.28.tar.bz2
[root@gateway ~]# tar xjfv iptables-1.4.2.tar.bz2
[root@gateway ~]# tar zxvf netfilter-layer7-v2.21.tar.gz
[root@gateway ~]# tar xzfv l7-protocols-2009-05-28.tar.gz

สร้าง Symbol Link 

[root@gateway ~]# ln -s /usr/src/linux-2.6.28 /usr/src/linux

Patch Kernel ด้วย patch file 

[root@gateway ~]# cd linux 
[root@gateway ~]# patch -p1 </usr/src/netfilter-layer7-v2.21/kernel-2.6.25-2.6.28-layer7-2.21.patch
[root@gateway ~]# patch -p1 </usr/src/routes-2.6.28-16.diff
[root@gateway ~]# patch -p1 </usr/src/linux-2.6.28.9-imq-test2.diff
Config Kernel
[root@gateway ~]# make menuconfig

<source lang=bash> Networking support > Networking options > Network packet filtering framework (Netfilter) > Core Netfilter Configuration. [ ] layer7 match support

[*] select all [M] select all

<M> "IMQ" target support <M> "layer7" match support [*] "Layer7" debugging output

Networking support > Networking options > Network packet filtering framework (Netfilter) > IP: Netfilter Configuration.

[*] select all [M] select all <M> Full NAT

</source> Exit Save .config

คอมไพล์และติดตั้งมันซะ Deb + CC4.3 ( Options 1 ) 

[root@gateway ~]# make && make modules && make modules_install && make install

ทำให้มันบูท Kernel ใหม่ ( Debian Only ) CC4.3 ไม่ต้องทำ 

[root@gateway ~]# cd /boot
[root@gateway ~]# mkinitramfs -o initrd.img-2.6.28 2.6.28
[root@gateway ~]# update-grub
[root@gateway ~]# reboot

ถ้าต้องการ Compile และสร้าง .deb ด้วย ใช้คำสั่ง ( Options 2 ) 

[root@gateway ~]# make clean && make mrproper
[root@gateway ~]# cp /boot/config-`uname -r` ./.config
[root@gateway ~]# make menuconfig

<source lang=bash> Networking support > Networking options > Network packet filtering framework (Netfilter) > Core Netfilter Configuration. [ ] layer7 match support

[*] select all [M] select all

<M> "IMQ" target support <M> "layer7" match support [*] "Layer7" debugging output

Networking support > Networking options > Network packet filtering framework (Netfilter) > IP: Netfilter Configuration.

[*] select all [M] select all <M> Full NAT </source> Exit Save .config 

[root@gateway ~]# make-kpkg clean
[root@gateway ~]# fakeroot make-kpkg --initrd --append-to-version=-l7multiroute kernel_image kernel_headers
[root@gateway ~]# cd /usr/src
[root@gateway ~]# dpkg -i linux-image-*
[root@gateway ~]# dpkg -i linux-headers-*
[root@gateway ~]# reboot

ขี้เกียจคอมไพล์ ดาวโหลด

แก้ไข /boot/grub/menu.lst ( CC4.3 Only ) 

[root@gateway ~]# nano /boot/grub/menu.lst

<source lang=bash>

  1. grub.conf generated by anaconda
  3. Note that you do not have to rerun grub after making changes to this file
  4. NOTICE: You have a /boot partition. This means that
  5. all kernel and initrd paths are relative to /boot/, eg.
  6. root (hd0,0)
  7. kernel /vmlinuz-version ro root=/dev/sda3
  8. initrd /initrd-version.img
  9. boot=/dev/sda

default=1 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Linux (2.6.28) 

       root (hd0,0)
       kernel /vmlinuz-2.6.28 ro root=LABEL=/ video=vesafb vga=0x313
       initrd /initrd-2.6.28.img
  1. title Linux (2.6.18-93.cc4)
  2. root (hd0,0)
  3. kernel /vmlinuz-2.6.18-93.cc4 ro root=LABEL=/ video=vesafb vga=0x313
  4. initrd /initrd-2.6.18-93.cc4.img
  5. title Linux Safe Mode (2.6.18-93.cc4)
  6. root (hd0,0)
  7. kernel /vmlinuz-2.6.18-93.cc4 ro root=LABEL=/
  8. initrd /initrd-2.6.18-93.cc4.img

</source> Reboot เครื่อง 

[root@gateway ~]# reboot
ตรวจสอบ Kernel Version CC4.3
[root@gateway ~]# uname -a
Linux gateway.clarkconnect.lan 2.6.28 #1 SMP Fri Jun 19 13:17:45 ICT 2009 i686 i686 i386 GNU/Linux
ตรวจสอบ Kernel Version Debian Lenny
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 19 12:02:27 2009 from 125.24.196.166.adsl.dynamic.totbb.net
gw:~# uname -a
Linux l7.mscompute.com 2.6.28 #2 SMP Sat Jun 13 18:19:43 ICT 2009 i686 GNU/Linux
คอมไพล์ iptables v1.4.2 เพื่อให้รองรับกับ layer7
[root@gateway ~]# cd /usr/src/iptables-1.4.2
[root@gateway ~]# cp /usr/src/netfilter-layer7-v2.21/iptables-1.4.1.1-for-kernel-2.6.20forward/* /usr/src/iptables-1.4.2/extensions/
[root@gateway ~]# ./configure --with-kernel=/usr/src/linux
[root@gateway ~]# make
[root@gateway ~]# make install
[root@gateway ~]# cd /usr/src/l7-protocols-2009-05-28
[root@gateway ~]# make install
[root@gateway ~]# cp /usr/local/sbin/iptables /sbin/
[root@gateway ~]# modprobe xt_layer7

แก้ไข /etc/rc.local 

[root@gateway ~]# nano /etc/rc.local

modprobe xt_layer7
modprobe xt_conntrack
modprobe nf_conntrack

ตรวจสอบ xt_layer7 

[root@gateway ~]# lsmod | grep xt_layer7
xt_layer7              14356  0
nf_conntrack           64392  14 xt_layer7,xt_CONNMARK,xt_state,nf_nat_pptp,nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_irc,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4
x_tables               18188  10 xt_layer7,xt_CONNMARK,xt_mark,xt_tcpudp,xt_state,ipt_MASQUERADE,ipt_REJECT,ipt_LOG,iptable_nat,ip_tables
ทดสอบ layer7
[root@gateway ~]# iptables -A FORWARD -m layer7 --l7proto bittorrent -j DROP
[root@gateway ~]# iptables -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
[root@gateway ~]# iptables -A FORWARD -m layer7 --l7proto fasttrack -j DROP

[root@gateway ~]# iptables -nvL | grep LAYER

<source lang=bash> 

 533 50633 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto bittorrent state NEW

30091 2183K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto edonkey state NEW 

   0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto fasttrack state NEW
   0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto gnutella state NEW

74468 6939K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto bittorrent state NEW 

325K   24M DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto edonkey state NEW
   0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto fasttrack state NEW
   0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto gnutella state NEW
   0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto bittorrent state NEW

17392 1161K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto edonkey state NEW 

   0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto fasttrack state NEW
   0     0 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0       LAYER7 l7proto gnutella state NEW

</source>

ทดสอบ IMQ

http://www.linuximq.net/usage.html

คุณสามารถใช้สคริบด้านล่างเพื่อ Balance Link ได้

<source lang=bash>

  1. !/bin/bash
  2. This script is done by : Robert Kurjata Sep, 2003.
  3. feel free to use it in any usefull way
  1. CONFIGURATION

IP=/sbin/ip PING=/bin/ping

  1. --------------- LINK PART -----------------
  2. EXTIFn - interface name
  3. EXTIPn - outgoing IP
  4. EXTMn - netmask length (bits)
  5. EXTGWn - outgoing gateway
  6. -------------------------------------------
  1. LINK 1

EXTIF1=eth2 EXTIP1= EXTM1= EXTGW1=

  1. LINK 2

EXTIF2=eth1 EXTIP2= EXTM2= EXTGW2=

  1. ROUTING PART
  2. removing old rules and routes

echo "removing old rules" ${IP} rule del prio 50 table main ${IP} rule del prio 201 from ${EXTIP1}/${EXTM1} table 201 ${IP} rule del prio 202 from ${EXTIP2}/${EXTM2} table 202 ${IP} rule del prio 221 table 221 echo "flushing tables" ${IP} route flush table 201 ${IP} route flush table 202 ${IP} route flush table 221 echo "removing tables" ${IP} route del table 201 ${IP} route del table 202 ${IP} route del table 221

  1. setting new rules

echo "Setting new routing rules"

  1. main table w/o default gateway here

${IP} rule add prio 50 table main ${IP} route del default table main

  1. identified routes here

${IP} rule add prio 201 from ${EXTIP1}/${EXTM1} table 201 ${IP} rule add prio 202 from ${EXTIP2}/${EXTM2} table 202

${IP} route add default via ${EXTGW1} dev ${EXTIF1} src ${EXTIP1} proto static table 201 ${IP} route append prohibit default table 201 metric 1 proto static

${IP} route add default via ${EXTGW2} dev ${EXTIF2} src ${EXTIP2} proto static table 202 ${IP} route append prohibit default table 202 metric 1 proto static

  1. mutipath

${IP} rule add prio 221 table 221

${IP} route add default table 221 proto static \ 

           nexthop via ${EXTGW1} dev ${EXTIF1} weight 2\
           nexthop via ${EXTGW2} dev ${EXTIF2} weight 3

${IP} route flush cache

while : ; do 

 ${PING} -c 1 ${EXTGW1}
 ${PING} -c 1 ${EXTGW2}
 sleep 60

done </source>


Another Balance Code by Neutron Soutmun <source lang=bash>

  1. !/bin/bash
  2. PPP Load Balancer Script #
  3. #
  4. Author: Neutron Soutmun #
  5. Created: 2008-04-28 #
  6. Copyright: © 2008 Neutron Soutmun <[email protected]> #
  7. License: GPL-2 #

VERSION=0.1.1

  2. LOG_DIR : Store the neccessary log files for ppp load balance processing.

LOG_DIR=/var/log/ppp-balance

  2. TABLE_PREFIX : The prefix for the table name that specified in
  3. /etc/iproute2/rt_tables for identification of route.

TABLE_PREFIX=isp

  2. GAMEONLINE_ROUTE_TO_IFNO : The interface number which desired to be the
  3. GameOnline routing path.
  4. You must set the netfilter rules for this function
  5. will work properly.
  6. To disable this, set it to -1
  8. Example netfilter rules:
  10. # iptables -t mangle -A PREROUTING -i eth0 -p tcp \
  11. -m multiport --dports 1025:65535 -j MARK --set-mark 0x4
  12. # iptables -t mangle -A PREROUTING -i eth0 -p udp \
  13. -m multiport --dports 1025:65535 -j MARK --set-mark 0x4

GAMEONLINE_ROUTE_TO_IFNO=3

  2. RELOAD_SQUID : Force to reload the squid config, workaround for the system
  3. that running squid process, disable set it to 0

RELOAD_SQUID=1

  2. VERBOSE : Verbose mode, display all logs and errors
  3. disable set it to 0.

VERBOSE=1

      2. Do not need to change below ###

IP=/sbin/ip IFCONFIG=/sbin/ifconfig SQUID=/etc/init.d/squid

RT_TABLES=/etc/iproute2/rt_tables

OLD_IF_FILE=${LOG_DIR}/old-if.log OLD_IF_COUNT_FILE=${LOG_DIR}/old-if-cnt.log OLD_RULE_FILE=${LOG_DIR}/old-rule.log NEXTHOP_FILE=${LOG_DIR}/nexthop.log REDIAL_LOG_FILE=${LOG_DIR}/redial.log TEMP_FILE=${LOG_DIR}/temp.log LOG_FILE=${LOG_DIR}/ppp-balance.log

log() { 

 timestamp=`date`
 if [ ${VERBOSE} -gt 0 ]; then
   echo "${timestamp}: $1" 
 fi
 echo "${timestamp}: $1" >> ${LOG_FILE}

}

error() { 

 timestamp=`date`
 if [ ${VERBOSE} -gt 0 ]; then
   echo "${timestamp}: ERROR! - $1"
 fi
 echo "${timestamp}: ERROR! - $1" >> ${LOG_FILE}
 exit $2

}

      1. Check if the system ready ###
  1. Check log dir

if [ ! -d ${LOG_DIR} ]; then 

 mkdir -p ${LOG_DIR} || exit 1

fi

  1. Check neccessary program

if [ ! -f ${IP} ]; then 

 error "The 'iproute2' package is not installed properly ?!!" 1

fi

  1. Check pre-defined tables name

rt_tables=`cat ${RT_TABLES} | grep "200 ${TABLE_PREFIX}0" | wc -l` if [ $rt_tables -eq 0 ]; then 

 ## Create the route tables name from prefix
 echo ""  >> ${RT_TABLES}
 echo "#" >> ${RT_TABLES}
 echo "# Added by PPP Load Balancer" >> ${RT_TABLES}
 echo "#" >> ${RT_TABLES}

 for (( i = 0; i < 10; i++ )); do
   echo "20${i}	${TABLE_PREFIX}${i}" >> ${RT_TABLES}
 done

fi


  1. Clear the temporary files

echo "" > ${TEMP_FILE}

del_old_rule () { 

 log "Removing old rules ..."
 ${IP} rule show | grep ${TABLE_PREFIX} | grep -v "all to" > ${OLD_RULE_FILE}

 while read line
 do
   #echo $line
   line_ip=`echo $line | cut -d' ' -f3`
   line_table=`echo $line | cut -d' ' -f5`
   
   check=`echo ${line_table} | grep ${TABLE_PREFIX}`
   if [ $? -eq 0 ]; then
     log "${IP} rule del from ${line_ip} table ${line_table}"
     ${IP} rule del from ${line_ip} table ${line_table}

     log "${IP} route flush table ${line_table}"
     ${IP} route flush table ${line_table}
   fi

 done < ${OLD_RULE_FILE}

}

update_route () { 

 log "Updating new route ..."
 echo "" > ${NEXTHOP_FILE}

 for PPP in ${PPP_LIST}
 do
   new_ppp=`cat ${TEMP_FILE} | grep ${PPP}`
   new_ip=`echo ${new_ppp} | cut -d':' -f2`
   new_tab=`echo ${new_ppp} | cut -d':' -f3`
 
   log "${IP} route add ${new_ip}/32 dev ${PPP} src ${new_ip} table ${new_tab}"
   ${IP} route add ${new_ip}/32 dev ${PPP} src ${new_ip} table ${new_tab}

   log "${IP} route add default via ${new_ip} table ${new_tab}"
   ${IP} route add default via ${new_ip} table ${new_tab}

   log "${IP} rule add from ${new_ip} table ${new_tab}"
   ${IP} rule add from ${new_ip} table ${new_tab}

   log "nexthop via ${new_ip} dev ${PPP} weight 1"
   echo "nexthop via ${new_ip} dev ${PPP} weight 1 " >> ${NEXTHOP_FILE} 2>&1
 done

}

update_default_route () { 

 log "Updating default route ..."
 nexthop=`cat ${NEXTHOP_FILE}`
 check=`echo $nexthop | grep nexthop | wc -l`
 if [ $check -gt 0 ]; then 
   default_gw="${IP} route add default scope global equalize "
   log "${default_gw} ${nexthop}"
   ${IP} route del default
   ${default_gw} ${nexthop}

   # Game online and other ports 1025:65535 go through the specified game path
   if [ ${GAMEONLINE_ROUTE_TO_IFNO} -gt -1 ]; then
     log "Adding GameOnline interception ..."
     ${IP} rule del fwmark 4 table ${TABLE_PREFIX}${GAMEONLINE_ROUTE_TO_IFNO}
     ${IP} rule add fwmark 4 table ${TABLE_PREFIX}${GAMEONLINE_ROUTE_TO_IFNO}
   fi
 fi

}

      1. MAIN ###

changes=0

  1. Gathering current PPP list

PPP_LIST=`${IFCONFIG} | grep ppp | cut -d' ' -f1` IF_COUNT=`${IFCONFIG} | grep ppp | cut -d' ' -f1 | wc -l`

for PPP in ${PPP_LIST} do 

 if_ip=`${IFCONFIG} ${PPP} | grep inet | cut -d':' -f2 | cut -d' ' -f 1`
 table_id=`echo ${PPP} | cut -d'p' -f4`
 check_old=`cat ${OLD_IF_FILE} | grep ${PPP}`
 check_ip=`echo ${check_old} | grep ${if_ip}`
 if [ $? -eq 1 ]; then
   # Some change in this device do update routing 
   log "${PPP} Routing change...."
   changes=1 
 fi
 echo ${PPP}:${if_ip}:${TABLE_PREFIX}${table_id} >> ${TEMP_FILE}

done

if [ -f ${OLD_IF_COUNT_FILE} ]; then 

 OLD_IF_COUNT=`cat ${OLD_IF_COUNT_FILE}`

else 

 OLD_IF_COUNT=0

fi

if [ ${OLD_IF_COUNT} != ${IF_COUNT} ]; then 

 log "Links size changed!"
 changes=1

fi

if [ ${changes} -eq 1 ]; then 

 del_old_rule
 update_route
 update_default_route
 
 ${IP} route flush cache

 if [ ${RELOAD_SQUID} -gt 0 ]; then
    log "Reloading SQUID config ..."
    ${SQUID} reload
 fi
 date >> ${REDIAL_LOG_FILE}

 success=`${IP} route | grep nexthop | wc -l`
 if [ ${success} -gt 0 ]; then
   cp ${TEMP_FILE} ${OLD_IF_FILE}
   echo ${IF_COUNT} > ${OLD_IF_COUNT_FILE}
   log "Updated!"
 else
   rm -f ${OLD_IF_FILE}
   rm -f ${OLD_IF_COUNT_FILE}
   log "Update Pending! - Retry in the next time."
 fi

fi

      1. END ###

</source>


References


http://www.ssi.bg/~ja/#routes-2.6

http://l7-filter.sourceforge.net/protocols

Protocal Definition /etc/l7-protocols

http://www.linuximq.net/

http://www.howtoforge.com/kernel_compilation_debian_etch

http://www.linuximq.net/usage.html

Retrieved from "https://msc.siamtools.com/wiki/index.php?title=Layer7_IMQ_Route_Multipath_Loadbalance_Debian_Lenny_2.6.28&oldid=565"