CONTENTS (click to jump below):

• Pending development:
  Resizable Hash Tables: v2 release candidate
• Linux Advanced Routing:
  • Routing and NAT extensions for Linux (2.2, 2.4, 2.6/3.x, Nano-HOWTO from Christoph Simon)
  • medium_id - IPv4 Bridging for Linux
  • rp_filter_mask - Extending the Reverse Path Protection for mediums
  • Bridging Extensions - IP Mode
  • Send-To_Self - Send traffic to self externally (loop)
  • rtmasq - Restore ROUTE MASQ (RTCF_MASQ) in Netfilter
• Linux ARP extensions:
  • "hidden" device flag for Linux
  • ip arp - ARP filtering via netlink
  • "noarp" flag for routes in Linux
  • Restrict announcing local src IPs in ARP requests - arp_announce
• Linux IPVS tools and extensions:
  • LVS director as gateway in DR/TUN setups
  • IPVS Netfilter connection tracking support
  • Misc LVS patches
  • TestLVS - throughput testing tool
  • Netparse - App for parsing network streams
• Linux QoS:
  • QoS Backport from Linux 2.4.19 to 2.2.21
• Patch combinations
• Docs and HOWTOs
• more, look below

Software

Netparse

• perform service health checks in cluster environments
• analyze the network data using regular expressions
• work with many streams in parallel

• Netparse 0.9 - netparse-0.9.tar.gz - April 23, 2002 Old versions

Testlvs

• Simple throughput testing tool for the Linux Virtual Server

• Testlvs 0.1 - testlvs-0.1.tar.gz - September 22, 2000

Linux Patches

The FAQ: How to apply these patches?

The answer: /usr/src/linux # patch -p1 < file.diff

To test before actual change: /usr/src/linux # patch -p1 --dry-run < file.diff

Note: you need the -p1 option for all patches

- For solving ARP problems

The "hidden" device flag is included in the Linux 2.2 kernel series starting from 2.2.14. You still need to apply some of the patches for Linux 2.4+. Read hidden.txt for more information about this feature.

Solution 1: Device "hidden" flag (same flag as in Linux 2.2)

• Change the ARP behavior for addresses attached to specific interface: (1) don't reply for broadcast probes (2) don't announce the addresses in the ARP probes (3) the addresses are not selected by the source address autoselection mechanism: hidden-5.16-1.diff - (5.16 - 5.19, 6.0 - 6.8) (Jan 29, 2022). Old versions

  Solution 2: ip arp - ARP filtering via netlink

  Ability to filter and alter ARP request and replies - ip arp. The code is mostly stolen from Alexey Kuznetsov's iproute2 modules, so most of the iparp parameters correspond to other similar parameters in other commands. For more information read iparp.txt
  Kernel patches (For LVS users: apply this patch on your real servers):
  • arprules-6.8-3.diff - (6.8)(Mar 13, 2024). Old versions
  User space patch:
  • iproute2-6.8-1-iparp-1.diff ip arp for iproute2-6.8.0.tar.gz - (2.6 - 6.8) (Mar 13, 2024). Old versions

  Solution 3: Per-route ARP flag

• noarp-2.4.28-1.diff - May 27, 2001. Per-route ARP handling. Requires iproute2-noarp-1.diff in user space. This patch includes another patch from Andrey Savochkin <saw@saw.sw.com.sg> that changes the arp_filter handling. Please, recompile your "ip" binary after 2.4.23
  The patch is known to work on Linux:
  • 2.4.28 - 2.4.36
  Old:
  <2.4.26 - 2.4.27> <2.4.23 - 2.4.25>
• iproute2-050816-noarp-1.diff - August 20, 2005. Patch against iproute2-050816.tar.gz: per-route ARP handling.
  Old:
  iproute2-noarp-1.diff for iproute2-2.2.4-now-ss001007.tar.gz - May 27, 2001.
• route-noarp.txt - May 27, 2001. Description for noarp-2.4.5-1.diff and iproute2-noarp-1.diff

  Solution 4: arp_announce flag

• arp_announce-2.6.2-4.diff - February 8, 2004. Define different restriction levels for announcing the local source IP address from IP packets in ARP requests. Included in Linux 2.6.4 as solution for IPVS setups instead of the hidden flag which is obsoleted and only maintained. Should be used for ARP devices, not for loopback. See your linux/Documentation/networking/ip-sysctl.txt file for more info about the arp_announce and arp_ignore device flags.
  The patch is known to work on Linux:
  • 2.6.2-bk
  Old versions:
  <3> <2> <1>

- Combinations:

• Jumbo patch containing the following parts:
  • routes-2.X.*.diff (static_routes, alt_routes, nf_reroute but without arp_prefsrc functionality, it is replaced by arprules and rp_filter_mask)
  • hidden-2.X.*.diff (conf/*/hidden)
  • arprules-2.X.*.diff (iparp/arprules support)
  • rp_filter_mask-2.X.*.diff (conf/*/rp_filter_mask)
  • forward_shared-2.X.*.diff (conf/*/forward_shared)
  • send-to-self-2.X.*.diff (conf/*/loop, included March 3, 2004, up to Linux 3.5)
  patch-6.8-ja1.diff - (6.8)(Mar 13, 2024). Old versions

• hidden-forward_shared-noarp-2.4.28-3.diff - December 4, 2001. Patch containing the following parts: hidden-2.4.*.diff, forward_shared-2.4.*.diff, noarp-2.4.*.diff, Please, recompile your "ip" binary after 2.4.23
  The patch is known to work on Linux:
  • 2.4.28 - 2.4.36
  Old versions:
  <2.4.26 - 2.4.27> <2.4.25> <2.4.23 - 2.4.24> <2.4.20 - 2.4.22> <2> <1>

• routes-hidden-forward_shared-noarp-2.4.16-2.diff - December 14, 2001. Patch containing the following parts: routes-2.4.*-6.diff, hidden-2.4.*.diff, forward_shared-2.4.*.diff, noarp-2.4.*.diff,
  The patch is known to work on Linux:
  • 2.4.16 - 2.4.18

- LVS director as gateway in Direct Routing and Tunnel setups

By default, the Linux kernels drop packets with local source address from the forward path as "source martians". This is not controlled from the rp_filter flags. The following patches try to relax this rule and to allow the LVS director to be used as (default) gateway from real servers that send packets with VIP source, i.e. when the same IP is configured on the LVS director.

• Use the LVS director as gateway from real servers in Direct Routing setup, patch for the director (/proc/sys/net/ipv4/conf/XXX/forward_shared):
  forward_shared-5.16-2.diff - (5.16 - 5.19, 6.0 - 6.8)(Jan 29, 2022). Old versions
  To enable the feature use:

  echo 1 > /proc/sys/net/ipv4/conf/all/forward_shared
  

  Then to activate it just for traffic from internal device eth0 use:

  echo 1 > /proc/sys/net/ipv4/conf/eth0/forward_shared
  

  For more information read Documentation/networking/ip-sysctl.txt. This patch may not be needed starting from Linux 3.6 where rp_filter=0 may not restrict the traffic with saddr that is our local IP. Users that use rp_filter=1 for internal interfaces can also use accept_local=1 instead of applying this patch and using forward_shared=1.

• Patch combining hidden-*.diff and forward_shared-*.diff
  • hidden-forward_shared-2.6.34-2.diff - (2.6.34 - 2.6.35)(May 18, 2010). Old versions

• fib-2215pre9-1.diff and its instructions fib-2215pre9-1.txt - Use the LVS director as gateway from real servers in Direct Routing setup, patch for the director against Linux 2.2.15pre9 +
  The patch is known to work on Linux:
  • 2.2.15 - 2.2.25
• fib-245-1.diff - June 2, 2001. Use the LVS director as gateway from real servers in Direct Routing setup, patch for the director against Linux 2.4.5 +. Use the 2.2 instructions
  The patch is known to work on Linux:
  • 2.4.5 - 2.4.36
• fib-240-1.diff - March 11, 2001.

- Linux kernel patches

Static, Alternative Routes, Dead Gateway Detection, NAT

The following patches extend the routing functionality in Linux to support static routes (defined by user), new way to use the alternative routes, the reverse path protection (rp_filter), the NAT processing to use correctly the routing when multiple gateways are used.
Christoph Simon wrote document about using Linux with many internet connections: Nano-HOWTO (nano.txt)
You can also use the user's guide dgd-usage.txt and development status dgd.txt. There is example script from Robert Kurjata that you can tune: mpath2.sh. You can also look at my unfinished work about creating mpath.sh script: mpath/.
LokiWall Project ( https://sourceforge.net/projects/lokiwall/) uses the 2.6 version of the patch for its Dual Routing feature. Note that Lokiwall development has been stalled as of 18-02-2011.
Alternative solution without using the patch is to use Netfilter CONNMARK. Example script (not much tested): mpath_connmark.tgz.
Patches for Linux 2.6/3.x/4.x/5.x:

• routes-6.4-17.diff - (6.4 - 6.8)(Jun 26, 2023). Old versions

  Patch containing all following parts (applied in the same order), apply after disabling the IP_ROUTE_MULTIPATH_CACHED config option (it is removed from 2.6.23+):

  • 00_static_routes-6.0-15.diff (6.0 - 6.8)(Jan 14, 2023). Old versions
    Static routes
  • 01_alt_routes-6.4-12.diff (6.4 - 6.8)(Jun 26, 2023). Old versions
    Alternative routes
  • 01_arp_prefsrc-2.5.50-5.diff
    Always use the preferred source as source address in our ARP probes. Dropped starting from 2.6.4, use the arp_announce=2 interface flag instead.
  • 05_nf_reroute-6.0-17.diff (6.0 - 6.8)(Jan 14, 2023) Old versions
    Routing and Netfilter changes (MASQUERADE, DNAT, ipchains and ipfwadm done), SNAT completed but needs match by gateway when two route paths use same device.
For setups using BRIDGE_NETFILTER and with lots of "dst cache overflow" messages caused by leaked routing cache entries, the 14th version of the patch is recommended (which starts from 2.6.20). For 2.6.20 and below (13th or 12th version of routes patch) an additional (standalone) patch for bridge-netfilter is provided (it should work on older kernels too): brnf_dst-2.6.20-1.diff
Patches for Linux 2.4:

• routes-2.4.29-9.diff - (2.4.29-2.4.36)(Jan 20, 2005). Patch containing all following parts (applied in the same order):
  • 00_static_routes-2.4.22-8.diff - Static routes ( <2.4.19 - 2.4.21> <6> <5> )
  • 01_alt_routes-2.4.28-8.diff - Alternative routes ( <2.4.19 - 2.4.28> <5> )
  • 01_arp_prefsrc-2.4.12-5.diff - Always use the preferred source as source address in our ARP probes. Dropped starting from 2.4.26, use the arp_announce=2 interface flag instead.
  • 05_nf_reroute-2.4.29-9.diff - Routing and Netfilter changes (MASQUERADE, DNAT, ipchains and ipfwadm done), SNAT completed but needs match by gateway when two route paths use same device ( <2.4.27 - 2.4.28> <2.4.24 - 2.4.26> <2.4.23> <2.4.20 - 2.4.22> <5> )
Old routes-2.4.* versions:
<2.4.27 - 2.4.28> <2.4.27 - 2.4.28> <2.4.26> <2.4.24 - 2.4.25> <2.4.23> <2.4.22> <2.4.20 - 2.4.21> <8> <6> <5> (Dec 14, 2001)
Patches for Linux 2.2:

• routes-2.2.20-7.diff - (2.2.19 - 2.2.25)(Feb 3, 2002). Patch containing all following parts (applied in the same order):
  • 00_static_routes-2.2.20-6.diff - Static routes ( <4> )
  • 01_alt_routes-2.2.20-7.diff - Alternative routes ( <4> )
  • 01_arp_prefsrc-2.2.19-4.diff - Always use the preferred source as source address in our ARP probes
  • 02_masq_csum_reroute-2.2.20-7.diff - Connection rerouting and incremental checksum updates ( <4> )
  • 05_key_gw-2.2.20-7.diff - Use the gateway address as routing key ( <4> )
Old routes-2.2.* versions:
<6> <4> (Oct 14, 2001)
Patches for LVS: the LVS users have to apply IPVS 1.0.8 before all these patches:
• routes-2.2.20-IPVS-1.0.8-7.diff - February 3, 2002. If they are applied one by one the differences from the previous list of individual patches include: 02_masq_csum_reroute-2.2.20-IPVS-1.0.8-7.diff (known to compile, old versions: <4> ) instead of 02_masq_csum_reroute-2.2.19-4.diff and finally 06_key_gw-2.2.20-IPVS-1.0.8-4.diff (known to compile)
Additional and obsoleted patches:

• 06_hidden-routes-2.4.14-1.diff - November 26, 2001. This patch is not included in routes-2.4.*. It is just the hidden device flag ported for the LVS users that need also the routes-2.4.* patch applied before that. It is created from hidden-2.4.5-1.diff by removing the change in arp_solicit which is obsoleted from 01_arp_prefsrc-2.4.*

• freeswan-1.94-routes-1.diff - Whit Blauvelt <whit@transpect.com>, December 20, 2001. This patch is not included in routes-2.4.*. It allows freeswan to be used together with the routes-2.*.diff patches. Not required for routes-2.4.19-8.* and up.

• cipe-1.5.2-routes-1.diff - Roberto Nibali <ratz@tac.ch>, January 18, 2002. This patch is not included in routes-2.*. It allows CIPE to be used together with the routes-2.*.diff patches. Not required for routes-2.4.19-8.* and up.

• dgd-2.2.19-4.diff, its user's guide dgd-usage.txt and its development status dgd.txt - October 14, 2001. Extends the dead gateway detection and the alternative routes in Linux 2.2.19+. The patch is already obsoleted by the above routes-* patches.
The patch is known to work on Linux:
• 2.2.19 - 2.2.25
Old versions:
<1> <2> <3>
This patch is already separated in two parts: static_routes and alt_routes which you see above.

Differentiation by Medium ID (IPv4 Bridging)

The following patches add more control over the proxy ARP feature in Linux by differentiating the input and the output device by the medium they are attached to. The feature is similar to the bridging functionality but depends on the routes. This simplifies other functions such as firewalling, QoS, etc. For more information explaining the feature see medium_id.txt.
• medium_id-2.4.18-2.diff - (2.4.16 - 2.4.18)(Mar 5, 2002). Old: <1> (Dec 8, 2001)
• medium_id-2.2.20-2.diff - (2.2.20 - 2.2.25)(Mar 5, 2002) Old: <1> (Dec 11, 2001)

Extended reverse path protection for mediums: rp_filter_mask

The following patches extend the rp_filter protection and allow the access to be relaxed based on the medium id values for the interfaces. The bitmask value contains bits for the medium identifiers 1..31 (0 is reserved) that are treated in same security zone as the configured interface. The traffic is accepted if the reverse path points to medium that has the corresponding bit set. Useful for setups with asymmetric routing or setups including multiple interfaces attached to same medium. See bridging.txt for examples.
• rp_filter_mask-6.1-1.diff - (6.1 - 6.8)(Jan 14, 2023). Old versions

Bridging Extensions - IP Mode

The following patches extend the Linux Bridging by providing IP Mode for the master bridge interfaces. With the help from other features we can build setups with asymmetric routing, full inspection of the IP traffic forwarded between the slave ports, etc. For more information explaining the feature see bridging.txt
• bridge-utils-1.4-ipmode-1.diff - July 13, 2010. User space patch against bridge-utils-1.4.tar.gz
• bridge-utils-1.0.4-ipmode-1.diff - June 17, 2004. User space patch against bridge-utils-1.0.4.tar.gz
• bridge-utils-0.9.5-ipmode-1.diff - July 2, 2002. User space patch against bridge-utils-0.9.5.tar.gz
• bridge-ipmode-6.4-2.diff - (6.4 - 6.8)(Jun 26, 2023). Old versions
  Kernel patch

Send-To-Self (loop)

The following patch implements routing of traffic between local IP addresses externally via ethernet interfaces. For more information explaining the feature see send-to-self.txt
Not maintained starting from Linux 3.6 due to performance reasons (route is not cached). Use ip rules instead (and rp_filter=0 and accept_local=1 for the receiving interfaces).
• send-to-self-3.4-1.diff - (3.4 - 3.5)(May 21, 2012). Old versions

ROUTE MASQ for Netfilter

The following patch restores the RTCF_MASQ usage present in Linux 2.2 to 2.4. By this way the "ip rule add ... nat EXTIP" syntax can work as replacement for multiple iptables/ipchains NAT rules. The assumption is that the route masquerading will simplify the NAT rules when the host talks with many networks. Works for both iptables and ipchains, rtmasq uses their NAT code for connection setup, even if you don't use them to add NAT rules. The route nat rules have more priority compared to the respective netfilter NAT rules.
• rtmasq-2.4.20-2.diff - (2.4.20 - 2.4.36)(Nov 29, 2002). Old: <1> (Jan 20, 2002)
• rtmasq-2.4.20-routes9-2.diff - March 6, 2003, Patch against routes v9 (routes-2.4.20-9.diff - routes-2.4.24-9.diff).
• rtmasq-2.6.0-test1-1.diff - July 27, 2003. 2.6.0-test1 - 2.6.8

Routing extension: lsrc for ip_route_input

The following patch (which is extracted from 05_nf_reroute-2.4.*, extended but only compiled) exports a new routing function: ip_route_input_lookup which can be used to resolve input route by supplying a local source IP. This allows packets that are still not SNAT-ed to be routed accordingly to the new source IP address that they will use after routing time. This helps Netfilter to use multipath routes with paths through distinct networks - problem not visible when the ISPs allow source address spoofing.
• rtlsrc-2.4.29-2.diff - January 20, 2005. (2.4.29 - 2.4.36)
• rtlsrc-2.4.17-2.diff - February 4, 2002. (2.4.17 - 2.4.28, 2.5.39)

- LVS patches

• ops-2.4.32-1.diff - November 2, 2001. (2.4.32 - 2.4.36) <2.4.26 - 2.4.31>
  Patch to allow one-packet scheduling for UDP connections. When the fwmark-based or normal virtual service is marked with '-o' or '--ops' options all connections are created only to schedule one packet. Useful to schedule UDP packets from same client port to different real servers. Recommended with RR or WRR schedulers (the connections are not visible with ipvsadm -L).
  Patch for ipvsadm: ops-ipvsadm-1.21-1.diff
• fastcsum-1.0.8-2.2.19-1.diff - October 9, 2001. Use incremental checksum updates for LVS-NAT and masquerade connections. Against IPVS 1.0.8 for Linux 2.2.19. Candidate for 1.0.9.

Docs and HOWTOs

• LVS.txt - June 17, 2018. Design notes for IPVS for Linux 2.4/2.6/3.x/4.x
• LVS_IPSEC.txt - February 17, 2002. Supporting IPSec protocols in LVS (development HOWTO)
• L4-NAT-HOWTO.txt - June 21, 2001. LVS-NAT troubleshooting HOWTO
• TUN-HOWTO.txt - April 2, 2020. LVS-TUN troubleshooting HOWTO
• fib.txt - February 2, 2008. Forwarding Information Base in Linux
• neigh.pu - State diagram of Linux Neighbour (PlantUML code) and its image - neigh.png - February 11, 2023.

Last update on: Mar 13, 2024
Julian Anastasov <ja@ssi.bg>