23.Linux-Virtual-Server（5）：LVS防火墙标记及持久连接

3.4 防火墙标记

FWM：FireWall Mark

MARK target可用于给特定的报文打标记

--set-mark value

其中：value可为0xffff格式，表示十六进制数字

借助于防火墙标记来分类报文，而后基于标记定义集群服务；可将多个不同的应用使用同一个集群服务进行调度

实现方法：

在Director主机打标记：

iptables -t mangle -A PREROUTING -d $vip -p $proto -m multiport --dports $port1,$port2,... -j MARK --set-mark NUMBER

在Director主机基于标记定义集群服务：

ipvsadm -A -f NUMBER [options]

例：

[root@LVS ~]# iptables -t mangle -A PREROUTING -d 172.16.0.100 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 7                           
[root@LVS ~]# ipvsadm -C
[root@LVS ~]# ipvsadm -A -f 7 -s rr
[root@LVS ~]# ipvsadm -a -f 7 -r 10.0.0.7 -g
[root@LVS ~]# ipvsadm -a -f 7 -r 10.0.0.17 -g
[root@LVS ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
FWM  7 rr
  -> 10.0.0.7:0                   Route   1      0          0         
  -> 10.0.0.17:0                  Route   1      0          0         
[root@LVS ~]# cat /proc/net/ip_vs
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port Forward Weight ActiveConn InActConn
FWM  00000007 rr 
  -> 0A000011:0000      Route   1      0          0         
  -> 0A000007:0000      Route   1      0          0

3.5 LVS持久连接

session绑定：对共享同一组RS的多个集群服务，需要统一进行绑定，lvs sh算法无法实现
持久连接（ lvs persistence）模板：实现无论使用任何调度算法，在一段时间内（默认360s )，能够实现将来自同一个地址的请求始终发往同一个RS

ipvsadm -A|E -t|u|f service-address [-s scheduler] [-p [timeout]]

持久连接实现方式：

• 每端口持久(PPC)：每个端口定义为一个集群服务，每集群服务单独调度
• 每防火墙标记持久（PFWMC）：基于防火墙标记定义集群服务；可实现将多个端口上的应用统一调度，即所谓的port Affinity
• 每客户端持久(PCC)：基于0端口（表示所有服务）定义集群服务，即将客户端对所有应用的请求都调度至后端主机，必须定义为持久模式

[root@LVS ~]# man ipvsadm
       -p, --persistent [timeout]
              Specify that a virtual service is persistent. If this option is  speci‐
              fied,  multiple  requests from a client are redirected to the same real
              server selected for the first request.  Optionally, the timeout of per‐
              sistent  sessions  may  be  specified  given  in seconds, otherwise the
              default of 300 seconds will be used. This option may be  used  in  con‐
              junction  with  protocols such as SSL or FTP where it is important that
              clients consistently connect with the same real server.

# man帮助官网显示默认时间为300s，实际默认时间为360s。一个错误，注意

例：

[root@LVS ~]# ipvsadm -E -f 7 -p
[root@LVS ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
FWM  7 wlc persistent 360
  -> 10.0.0.7:0                   Route   1      0          0         
  -> 10.0.0.17:0                  Route   1      0          0
[root@LVS ~]# ipvsadm -E -f 7 -p 3600
[root@LVS ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
FWM  7 wlc persistent 3600
  -> 10.0.0.7:0                   Route   1      0          0         
  -> 10.0.0.17:0                  Route   1      0          0

[root@LVS ~]# cat /proc/net/ip_vs_conn
Pro FromIP   FPrt ToIP     TPrt DestIP   DPrt State       Expires PEName PEData
TCP C0A80006 AE72 AC100064 0050 0A000011 0050 FIN_WAIT         41
TCP C0A80006 AECE AC100064 0050 0A000011 0050 FIN_WAIT         63
TCP C0A80006 AE54 AC100064 0050 0A000011 0050 FIN_WAIT         12
TCP C0A80006 AE52 AC100064 0050 0A000011 0050 FIN_WAIT         11
TCP C0A80006 AE7A AC100064 0050 0A000011 0050 FIN_WAIT         43
TCP C0A80006 AE70 AC100064 0050 0A000011 0050 FIN_WAIT         40
TCP C0A80006 AE80 AC100064 0050 0A000011 0050 FIN_WAIT         48
TCP C0A80006 AE8C AC100064 0050 0A000011 0050 FIN_WAIT         49
TCP C0A80006 AE88 AC100064 0050 0A000011 0050 FIN_WAIT         49
TCP C0A80006 AEDA AC100064 0050 0A000011 0050 FIN_WAIT         64
TCP C0A80006 AEDE AC100064 0050 0A000011 0050 FIN_WAIT         64

[root@LVS ~]# ipvsadm -Lnc
IPVS connection entries
pro expire state       source             virtual            destination
TCP 01:04  FIN_WAIT    192.168.0.6:44658  172.16.0.100:80    10.0.0.17:80
TCP 01:26  FIN_WAIT    192.168.0.6:44750  172.16.0.100:80    10.0.0.17:80
TCP 00:35  FIN_WAIT    192.168.0.6:44628  172.16.0.100:80    10.0.0.17:80
TCP 00:34  FIN_WAIT    192.168.0.6:44626  172.16.0.100:80    10.0.0.17:80
TCP 00:05  CLOSE       192.168.0.6:55042  172.16.0.100:443   10.0.0.17:443
TCP 01:07  FIN_WAIT    192.168.0.6:44666  172.16.0.100:80    10.0.0.17:80
TCP 00:07  CLOSE       192.168.0.6:55050  172.16.0.100:443   10.0.0.17:443
TCP 01:03  FIN_WAIT    192.168.0.6:44656  172.16.0.100:80    10.0.0.17:80
TCP 00:06  CLOSE       192.168.0.6:55046  172.16.0.100:443   10.0.0.17:443
TCP 01:11  FIN_WAIT    192.168.0.6:44672  172.16.0.100:80    10.0.0.17:80
TCP 01:12  FIN_WAIT    192.168.0.6:44684  172.16.0.100:80    10.0.0.17:80