lvs在DR模式下需要關閉arp,設定參數的意思可以參考下文
arp_announce和arp_ignore
用來屏蔽arp請求,比較難了解,先看看linux核心2.6的定義:
==============================arp_announce=============================
arp_announce -INTEGER Define different restriction levels for announcing the local source IPaddress from IP packets in ARP requests sent on interface:
0 - (default) Useany local address, configured on any interface
1 - Try to avoidlocal addresses that are not in the target's subnet for this interface. Thismode is useful when target hosts reachable via this interface require thesource IP address in ARP requests to be part of their logical networkconfigured on the receiving interface. When we generate the request we willcheck all our subnets that include thetarget IP and will preserve the source address if it is from such subnet. Ifthere is no such subnet we select source address according to the rules forlevel
2 - Always use thebest local address for this target. In this mode we ignore the source addressin the IP packet and try to select local address that we prefer for talks withthe target host. Such local address is selected by looking for primary IP addresseson all our subnets on the outgoing interface that include the target IPaddress. If no suitable local address is found we select the first localaddress we have on the outgoing interface or on all other interfaces, with thehope we will receive reply for our request and even sometimes no matter thesource IP address we announce. The max value fromconf/{all,interface}/arp_announce is used. Increasing the restriction levelgives more chance for receiving answer from the resolved target while decreasingthe level announces more valid sender's information.
#對網絡接口上,本地IP位址的發出的,ARP回應,作出相應級别的限制: 确定不同程度的限制,宣布對來自本地源IP位址發出ARP請求的接口
0 - (預設) 在任意網絡接口(eth0,eth1,lo)上的任何本地位址
1 -盡量避免不在該網絡接口子網段的本地位址做出arp回應. 當發起ARP請求的源IP位址是被設定應該經由路由達到此網絡接口的時候很有用.此時會檢查來訪IP是否為所有接口上的子網段内ip之一.如果改來訪IP不屬于各個網絡接口上的子網段内,那麼将采用級别2的方式來進行處理.
2 - 對查詢目标使用最适當的本地位址.在此模式下将忽略這個IP資料包的源位址并嘗試選擇與能與該位址通信的本地位址.首要是選擇所有的網絡接口的子網中外出通路子網中包含該目标IP位址的本地位址. 如果沒有合适的位址被發現,将選擇目前的發送網絡接口或其他的有可能接受到該ARP回應的網絡接口來進行發送.
===========================arp_ignore============================
arp_ignore - INTEGERDefine different modes for sending replies in response to received ARP requeststhat resolve local target IP addresses:
0 - (default): replyfor any local target IP address, configured on any interface
1 - reply only ifthe target IP address is local address configured on the incoming interface
2 - reply onlyif the target IP address is local address configured on the incoming interfaceand both with the sender's IP address arepart from same subnet on thisinterface
3 - do not reply forlocal addresses configured with scope host,only resolutions for global and linkaddresses are replied
4-7 - reserved
8 - do not reply forall local addresses
The max value fromconf/{all,interface}/arp_ignore is used when ARP request is received on the{interface}
定義對目标位址為本地IP的ARP詢問不同的應答模式0
0 - (預設值): 回應任何網絡接口上對任何本地IP位址的arp查詢請求
1 - 隻回答目标IP位址是來訪網絡接口本地位址的ARP查詢請求
2 -隻回答目标IP位址是來訪網絡接口本地位址的ARP查詢請求,且來訪IP必須在該網絡接口的子網段内
3 - 不回應該網絡界面的arp請求,而隻對設定的唯一和連接配接位址做出回應
4-7 - 保留未使用
8 -不回應所有(本地位址)的arp查詢
arp_ignore 設定為1,這個比較好了解,當别人的arp請求過來的時候,如果接收的裝置上面沒有這個ip,就不響應,預設是0,隻要這台機器上面任何一個裝置上面有這個ip,就響應arp請求,并發送mac位址應答。
arp_announce 這個就比較難解釋了,先看一段英文的:
Assume that a linuxbox X has three interfaces - eth0, eth1 and eth2. Each interface has an IPaddress IP0, IP1 and IP2. When a local application tries to send an IP packetwith IP0 through the eth2. Unfortunately, the target node’s mac address is not resolved. Thelinuxbox X will send the ARP request to know the mac address of the target(or thegateway). In this case what is the IP source address of the “ARP requestmessage”? The IP0- the IP source address of the transmitting IP or IP2 - theoutgoing interface? Until now(actuallyjust 3 hours before) ARP request uses the IP address assigned to the outgoinginterface(IP2 in the above example) However the linux’s behavior is a littlebit different. Actually the selection of source address in ARP request istotally configurable bythe proc variable “arp_announce”
If we want to usethe IP2 not the IP0 in the ARP request, we should change the value to 1 or 2.The default value is 0 - allow IP0 is used for ARP request.
其實就是路由器的問題,因為路由器一般是動态學習ARP包的(一般動态配置DHCP的話),當内網的機器要發送一個到外部的ip包,那麼它就會請求路由器的Mac位址,發送一個arp請求,這個arp請求裡面包括了自己的ip位址和Mac位址,而linux預設是使用ip的源ip位址作為arp裡面的源ip位址,而不是使用發送裝置上面的,這樣在lvs這樣的架構下,所有發送包都是同一個VIP位址,那麼arp請求就會包括VIP位址和裝置 Mac,而路由器收到這個arp請求就會更新自己的arp緩存,這樣就會造成ip欺騙了,VIP被搶奪,是以就會有問題。
arp緩存為什麼會更新了,什麼時候會更新呢,為了減少arp請求的次數,當主機接收到詢問自己的arp請求的時候,就會把源ip和源Mac放入自己的arp表裡面,友善接下來的通訊。如果收到不是詢問自己的包(arp是廣播的,所有人都收到),就會丢掉,這樣不會造成arp表裡面無用資料太多導緻有用的記錄被删除。
What happens when ahost receives an ARP request packet? TheARP request is received and processed by all the hosts in the network,since itis a broadcast packet. The following steps are carried out when a ARP requestpacket is received by a host: If the IPaddress to be resolved is for this host, then the ARP module sends an ARP replypacket with its Ethernet MAC address. Ifthe IP address to be resolved is for this host, then the ARP module updates itsARP cache with the source Ethernet MAC address to source IP address mappingpresent in the ARP request packet. If the entry is already present in thecache, it is overwritten. If it is not present, it is added. If the IP address to be resolved is not forthis host, then the ARP module discards the ARP request packet. Will a host update its ARP cache upon receivingany ARP request? A host will update itsARP cache, only if the ARP request is for its IP address. Otherwise, it willdiscard the ARP request. What is thedisadvantage if a host updates its ARP cache upon receiving any ARPrequest? The host will exhaust the ARPcache with a lot of unused ARP entries, if it updates the ARP cache for any ARPrequest.
如果路由器使用靜态ARP表,用戶端也使用靜态網關ARP的話,基本就不用管這兩個值了。 也看了一下***,用了pppoe協定,也是不需要處理arp請求的。
檢視某個裝置上面綁定了多少個ip:>ip addr show dev eth0
綁定多個ip(臨時,看作業系統不同加在不同的地方):>ip addr add x.x.x.x/32 dev eth0
臨時修改arp_announce和arp_ignore:
echo 1 >/proc/sys/net/ipv4/conf/eth0/arp_ignore
echo 2 >/proc/sys/net/ipv4/conf/eth0/arp_announce
永久修改: 編輯sysctl配置檔案即可:
if /etc/sysctl.conf is used inthe system, we have this config in /etc/sysctl.conf
net.ipv4.conf.eth0.arp_ignore= 1
net.ipv4.conf.eth0.arp_announce= 2
在lvs環境中,需要設定以下的參數
echo"1">/proc/sys/net/ipv4/conf/all/arp_ignore
echo"1">/proc/sys/net/ipv4/conf/lo/arp_ignore
echo"2">/proc/sys/net/ipv4/conf/lo/arp_announce
echo"2">/proc/sys/net/ipv4/conf/all/arp_announce
轉載于:https://blog.51cto.com/sohudrgon/1598122
![Win10系統怎麼開啟Linux Bash指令行?[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)