nat-gw1: WIP

kucerarichard · Mar 19, 2019 · 8426a04 · 8426a04
1 parent 9908177
commit 8426a04
Show file tree

Hide file tree

Showing 5 changed files with 210 additions and 0 deletions.
diff --git a/lab-nat-gw1/.gitignore b/lab-nat-gw1/.gitignore
@@ -0,0 +1,4 @@
+/keepalived.NAT1.conf
+/keepalived.NAT2.conf
+/conntrackd.NAT1.conf
+/conntrackd.NAT2.conf
diff --git a/lab-nat-gw1/conntrackd.NATx.conf b/lab-nat-gw1/conntrackd.NATx.conf
@@ -0,0 +1,45 @@
+Sync {
+  Mode FTFW {
+    StartupResync on
+  }
+  Multicast {
+    IPv4_address 225.0.0.50
+    Group 3780
+    IPv4_interface {{ ipv4 }}
+    Interface eth2
+    SndSocketBuffer 1249280
+    RcvSocketBuffer 1249280
+    Checksum on
+  }
+  Options {
+    # No expectation sync
+  }
+}
+
+General {
+  HashSize 32768
+  HashLimit {{ hashlimit }}
+  LogFile on
+  LockFile /var/run/conntrack.lock
+  NetlinkBufferSize 2097152
+  NetlinkBufferSizeMaxGrowth 8388608
+  NetlinkOverrunResync 10
+
+  Filter From Kernelspace {
+    Protocol Accept {
+      TCP
+      # Not UDP: should survive a switch because stateless
+      # Not ICMP: should also survive a switch
+    }
+    Address Ignore {
+      IPv4_address 127.0.0.1
+    }
+    State Accept {
+      ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
+    }
+  }
+
+  UNIX {
+    Path /var/run/conntrackd.ctl
+  }
+}
diff --git a/lab-nat-gw1/keepalived.NATx.conf b/lab-nat-gw1/keepalived.NATx.conf
@@ -0,0 +1,43 @@
+vrrp_instance NAT1 {
+  state BACKUP
+  interface eth0
+  track_interface {
+    eth1
+  }
+  virtual_router_id 11
+  priority {{ priority1 }}
+  advert_int 1
+  virtual_ipaddress {
+    172.22.34.1/32
+    203.0.113.128/32 dev eth1
+    203.0.113.129/32 dev eth1
+    203.0.113.130/32 dev eth1
+    203.0.113.131/32 dev eth1
+    203.0.113.132/32 dev eth1
+  }
+
+  use_vmac
+  notify_master "{{ pwd }}/vrrp-master vrrp.11"
+}
+
+vrrp_instance NAT2 {
+  state BACKUP
+  interface eth0
+  track_interface {
+    eth1
+  }
+  virtual_router_id 12
+  priority {{ priority2 }}
+  advert_int 1
+  virtual_ipaddress {
+    172.22.34.2/32
+    203.0.113.192/32 dev eth1
+    203.0.113.193/32 dev eth1
+    203.0.113.194/32 dev eth1
+    203.0.113.195/32 dev eth1
+    203.0.113.196/32 dev eth1
+  }
+
+  use_vmac
+  notify_master "{{ pwd }}/vrrp-master vrrp.12"
+}
diff --git a/lab-nat-gw1/setup b/lab-nat-gw1/setup
@@ -0,0 +1,109 @@
+#!/bin/sh
+
+cd "$(dirname "$(readlink -f "$0")")"
+. ../common/lab-setup
+
+# 2: regular public network
+# 3: public network through NAT GW
+# 4: internet
+# 5: dedicated network for conntrackd
+unset SWITCH_HUB
+spawn vm H1       network  10
+spawn vm H2       network  20
+spawn vm H3       network  30
+spawn vm HV       networks 10,20,30,2,3
+spawn vm NAT1     networks 3,2,5
+spawn vm NAT2     networks 3,2,5
+spawn vm ER       networks 2,4
+spawn vm internet network  4
+
+run
+
+# Executed on each VM
+case $uts in
+    HV)
+        ip addr add 10.0.1.1/24 dev eth0
+        ip addr add 10.0.2.1/24 dev eth1
+        ip addr add 10.0.3.1/24 dev eth2
+        ip addr add 203.0.113.10/24 dev eth3
+        ip route add default via 203.0.113.1
+        sysctl -qw net.ipv4.ip_forward=1
+
+        # Regular SNAT for VMs
+        iptables -t nat -A POSTROUTING -o eth3 -j SNAT --to-source 203.0.113.10
+
+        ## NAT GW
+        ip addr add 172.22.34.10/24 dev eth4
+        # One routing table for each NAT gateway
+        ip rule add fwmark 100 table 100
+        ip rule add fwmark 101 table 101
+        ip route add default via 172.22.34.1 table 100
+        ip route add default via 172.22.34.2 table 101
+        # Chain to use the NAT gateway. First one restore the mark and
+        # second one put it on new connections.
+        iptables -t mangle -N NATGW1
+        iptables -t mangle -A NATGW1 -j CONNMARK --restore-mark
+        iptables -t mangle -A NATGW1 -m conntrack --ctstate NEW -j MARK --set-mark 100
+        iptables -t mangle -N NATGW2
+        iptables -t mangle -A NATGW2 -j CONNMARK --restore-mark
+        iptables -t mangle -A NATGW2 -m conntrack --ctstate NEW -j MARK --set-mark 101
+        # SNAT for VMs using the NAT GW
+        iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 172.22.34.10
+        iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j CONNMARK --save-mark
+        # Second and third VM will use the NAT GW. The pool is chosen
+        # randomly. This rule should be set by the orchestrator.
+        iptables -t mangle -A PREROUTING -i eth1 -j NATGW$(shuf -i 1-2 -n 1)
+        iptables -t mangle -A PREROUTING -i eth2 -j NATGW$(shuf -i 1-2 -n 1)
+        ;;
+    NAT*)
+        # Active/active setup with keepalived.
+        template keepalived.NATx.conf keepalived.$uts.conf \
+                 priority1=$((150 - ${uts#NAT})) \
+                 priority2=$((150 + ${uts#NAT})) \
+                 pwd="'$PWD'"
+        service keepalived -P -f $PWD/keepalived.$uts.conf
+
+        # VMAC on eth0
+        sysctl -qw net.ipv4.conf.all.arp_ignore=1
+        sysctl -qw net.ipv4.conf.all.arp_announce=1
+        sysctl -qw net.ipv4.conf.all.arp_filter=0
+        sysctl -qw net.ipv4.conf.eth0.arp_filter=1
+
+        ip addr add 172.22.34.25${uts#NAT}/24 dev eth0
+        ip addr add 203.0.113.25${uts#NAT}/24 dev eth1
+        ip route add default via 203.0.113.1
+        sysctl -qw net.ipv4.ip_forward=1
+
+        # Choose the address pool depending on the source VRRP MAC address
+        iptables -t mangle -I PREROUTING -i vrrp.11 -j MARK --set-mark 11
+        iptables -t mangle -I PREROUTING -i vrrp.12 -j MARK --set-mark 12
+        iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 11 -j SNAT --to-source 203.0.113.128-203.0.113.132 --persistent
+        iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 12 -j SNAT --to-source 203.0.113.192-203.0.113.196 --persistent
+        sysctl -qw net.netfilter.nf_conntrack_tcp_loose=1
+
+        # Use conntrackd on top of that for almost seamless redundancy
+        ip addr add 172.22.35.25${uts#NAT}/24 dev eth2
+        template conntrackd.NATx.conf conntrackd.$uts.conf \
+                 ipv4="'172.22.35.25${uts#NAT}'" \
+                 hashlimit=$(( $(cat /proc/sys/net/netfilter/nf_conntrack_max) * 2 ))
+        service conntrackd -C $PWD/conntrackd.$uts.conf -d
+        ;;
+    ER)
+        # Just a dumb edge router
+        ip addr add 203.0.113.1/24 dev eth0
+        ip addr add 192.0.2.1/24 dev eth1
+        sysctl -qw net.ipv4.ip_forward=1
+        ;;
+    H*)
+        ip addr add 10.0.${uts#H}.10/24 dev eth0
+        ip route add default via 10.0.${uts#H}.1
+        sysctl -qw net.ipv4.ip_forward=1
+        ;;
+    internet)
+        # Accurate simulation of Internet
+        ip addr add 192.0.2.10/24 dev eth0
+        ip route add default via 192.0.2.1
+        service nginx
+        # tail -f /var/log/nginx/access.log
+        ;;
+esac
diff --git a/lab-nat-gw1/vrrp-master b/lab-nat-gw1/vrrp-master
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# VMAC setup
+sysctl -qw net.ipv4.conf.${1}.arp_filter=0
+sysctl -qw net.ipv4.conf.${1}.accept_local=1
+sysctl -qw net.ipv4.conf.${1}.rp_filter=0
+
+# Conntrack sync
+conntrackd -C /mnt/lab/conntrackd.${uts}.conf -c