Web Page History
CONTENTS (click to jump below):
Software
Netparse
- perform service health checks in cluster environments
- analyze the network data using regular expressions
- work with many streams in parallel
Testlvs
- Simple throughput testing tool for the Linux Virtual Server
Linux Patches
The FAQ: How to apply these patches?
The answer: /usr/src/linux # patch -p1 < file.diff
To test before actual change: /usr/src/linux # patch -p1 --dry-run < file.diff
Note: you need the -p1 option for all patches
- For solving ARP problems
The "hidden" device flag is included in the Linux 2.2 kernel series
starting from 2.2.14.
You still need to apply some of the patches for Linux 2.4+. Read
hidden.txt for more information about
this feature.
Solution 1: Device "hidden" flag (same flag as in Linux 2.2)
- Change the ARP
behavior for addresses attached to specific interface: (1) don't reply
for broadcast probes (2) don't announce the addresses in the ARP probes
(3) the addresses are not selected by the source address autoselection
mechanism:
hidden-6.9-1.diff -
(6.9 - 6.11) (May 21, 2024).
Old versions
Solution 2: ip arp - ARP filtering via netlink
Ability to filter and alter ARP request and replies - ip arp.
The code is mostly stolen from Alexey Kuznetsov's iproute2
modules, so most of the iparp parameters correspond to other
similar parameters in other commands. For more information read
iparp.txt
Kernel patches (For LVS users: apply this patch on your real servers):
User space patch:
Solution 3: Per-route ARP flag
- noarp-2.4.28-1.diff - May 27, 2001.
Per-route ARP handling. Requires
iproute2-noarp-1.diff in user space. This patch includes another
patch from Andrey Savochkin <saw@saw.sw.com.sg> that changes the
arp_filter handling. Please, recompile your "ip" binary
after 2.4.23
The patch is known to work on Linux:
Old:
- iproute2-050816-noarp-1.diff - August 20, 2005.
Patch against iproute2-050816.tar.gz: per-route ARP handling.
Old:
iproute2-noarp-1.diff for
iproute2-2.2.4-now-ss001007.tar.gz - May 27, 2001.
- route-noarp.txt - May 27, 2001.
Description for noarp-2.4.5-1.diff and iproute2-noarp-1.diff
Solution 4: arp_announce flag
- arp_announce-2.6.2-4.diff - February 8, 2004.
Define different restriction levels for announcing the local
source IP address from IP packets in ARP requests.
Included in Linux 2.6.4 as solution for IPVS setups
instead of the hidden flag which is obsoleted and only maintained.
Should be used for ARP devices, not for loopback.
See your linux/Documentation/networking/ip-sysctl.txt
file for more info about the arp_announce and arp_ignore
device flags.
The patch is known to work on Linux:
Old versions:
- Combinations:
- Jumbo patch containing the following parts:
- routes-2.X.*.diff (static_routes, alt_routes, nf_reroute but without
arp_prefsrc functionality, it is replaced by arprules and rp_filter_mask)
- hidden-2.X.*.diff (conf/*/hidden)
- arprules-2.X.*.diff (iparp/arprules support)
- rp_filter_mask-2.X.*.diff (conf/*/rp_filter_mask)
- forward_shared-2.X.*.diff (conf/*/forward_shared)
- send-to-self-2.X.*.diff (conf/*/loop, included March 3, 2004, up to Linux 3.5)
patch-6.11-ja1.diff
- (6.11)(Sep 16, 2024).
Old versions
- hidden-forward_shared-noarp-2.4.28-3.diff - December 4, 2001.
Patch containing the following parts: hidden-2.4.*.diff,
forward_shared-2.4.*.diff, noarp-2.4.*.diff,
Please, recompile your "ip" binary after 2.4.23
The patch is known to work on Linux:
Old versions:
- routes-hidden-forward_shared-noarp-2.4.16-2.diff - December 14, 2001.
Patch containing the following parts: routes-2.4.*-6.diff, hidden-2.4.*.diff,
forward_shared-2.4.*.diff, noarp-2.4.*.diff,
The patch is known to work on Linux:
- LVS director as gateway in Direct Routing and Tunnel setups
By default, the Linux kernels drop packets with local source address
from the forward path as "source martians". This is not controlled from
the rp_filter flags. The following patches try to relax this rule and
to allow the LVS director to be used as (default) gateway from real
servers that send packets with VIP source, i.e. when the same IP is
configured on the LVS director.
- Linux kernel patches
Static, Alternative Routes, Dead Gateway Detection, NAT
The following patches extend the routing functionality in Linux
to support static routes (defined by user), new way to
use the alternative routes, the reverse path protection (rp_filter),
the NAT processing to use correctly the routing when multiple gateways
are used.
Christoph Simon wrote document about using Linux with
many internet connections: Nano-HOWTO (nano.txt)
You can also use the user's guide dgd-usage.txt and
development status dgd.txt. There is
example script from Robert Kurjata that you can tune:
mpath2.sh.
You can also look at my unfinished work about creating mpath.sh script:
mpath/.
LokiWall Project (
https://sourceforge.net/projects/lokiwall/) uses the 2.6 version of the
patch for its Dual Routing feature.
Note that Lokiwall development has been stalled as of 18-02-2011.
Alternative solution without using the patch is to use Netfilter
CONNMARK. Example script (not much tested):
mpath_connmark.tgz.
Patches for Linux 2.6/3.x/4.x/5.x:
routes-6.11-17.diff
- (6.11)(Sep 16, 2024).
Old versions
Patch containing all following parts (applied in the same order),
apply after disabling the IP_ROUTE_MULTIPATH_CACHED config
option (it is removed from 2.6.23+):
For setups using BRIDGE_NETFILTER and with lots of "dst cache overflow"
messages caused by leaked routing cache entries, the 14th version
of the patch is recommended (which starts from 2.6.20).
For 2.6.20 and below (13th or 12th version of routes patch) an
additional (standalone) patch for bridge-netfilter is provided
(it should work on older kernels too):
brnf_dst-2.6.20-1.diff
Patches for Linux 2.4:
routes-2.4.29-9.diff - (2.4.29-2.4.36)(Jan 20, 2005).
Patch containing all following parts (applied in the same order):
Old routes-2.4.* versions:
Patches for Linux 2.2:
routes-2.2.20-7.diff - (2.2.19 - 2.2.25)(Feb 3, 2002).
Patch containing all following parts (applied in the same order):
Old routes-2.2.* versions:
Patches for LVS: the LVS users have to apply IPVS 1.0.8 before all these patches:
routes-2.2.20-IPVS-1.0.8-7.diff - February 3, 2002.
If they are applied one by one the differences from the previous
list of individual patches include:
02_masq_csum_reroute-2.2.20-IPVS-1.0.8-7.diff (known to compile,
old versions:
<4>
) instead of 02_masq_csum_reroute-2.2.19-4.diff and finally
06_key_gw-2.2.20-IPVS-1.0.8-4.diff (known to compile)
Additional and obsoleted patches:
06_hidden-routes-2.4.14-1.diff - November 26, 2001.
This patch is not included in routes-2.4.*. It is just the
hidden device flag ported for the LVS users that need also the
routes-2.4.* patch applied before that. It is created from
hidden-2.4.5-1.diff by removing the change in arp_solicit
which is obsoleted from 01_arp_prefsrc-2.4.*
freeswan-1.94-routes-1.diff - Whit Blauvelt <whit@transpect.com>, December 20, 2001.
This patch is not included in routes-2.4.*. It allows freeswan
to be used together with the routes-2.*.diff patches. Not required
for routes-2.4.19-8.* and up.
cipe-1.5.2-routes-1.diff - Roberto Nibali <ratz@tac.ch>, January 18, 2002.
This patch is not included in routes-2.*. It allows CIPE
to be used together with the routes-2.*.diff patches. Not
required for routes-2.4.19-8.* and up.
- dgd-2.2.19-4.diff, its
user's guide dgd-usage.txt and
its development status dgd.txt - October 14, 2001.
Extends the dead gateway detection and the alternative routes in Linux 2.2.19+.
The patch is already obsoleted by the above routes-* patches.
The patch is known to work on Linux:
Old versions:
This patch is already separated in two parts:
static_routes and alt_routes which you see above.
Differentiation by Medium ID (IPv4 Bridging)
The following patches add more control over the proxy ARP feature
in Linux by differentiating the input and the output device by the
medium they are attached to. The feature is similar to the bridging
functionality but depends on the routes. This simplifies other
functions such as firewalling, QoS, etc. For more information
explaining the feature see
medium_id.txt.
Extended reverse path protection for mediums: rp_filter_mask
The following patches extend the rp_filter protection and allow the access
to be relaxed based on the medium id values for the interfaces. The
bitmask value contains bits for the medium identifiers 1..31 (0 is reserved)
that are treated in same security zone as the configured interface. The
traffic is accepted if the reverse path points to medium that has the
corresponding bit set. Useful for setups with asymmetric routing or
setups including multiple interfaces attached to same medium.
See bridging.txt for examples.
Bridging Extensions - IP Mode
The following patches extend the Linux Bridging by providing IP Mode
for the master bridge interfaces. With the help from other features
we can build setups with asymmetric routing, full inspection of the
IP traffic forwarded between the slave ports, etc.
For more information explaining the feature see
bridging.txt
Send-To-Self (loop)
The following patch implements routing of traffic between local IP
addresses externally via ethernet interfaces.
For more information explaining the feature see
send-to-self.txt
Not maintained starting from Linux 3.6 due to performance
reasons (route is not cached). Use ip rules instead (and
rp_filter=0 and accept_local=1 for the receiving interfaces).
ROUTE MASQ for Netfilter
The following patch restores the RTCF_MASQ usage present in Linux 2.2
to 2.4. By this way the "ip rule add ... nat EXTIP" syntax can work
as replacement for multiple iptables/ipchains NAT rules. The assumption
is that the route masquerading will simplify the NAT rules when
the host talks with many networks. Works for both iptables and ipchains,
rtmasq uses their NAT code for connection setup, even if you don't
use them to add NAT rules.
The route nat rules have more priority compared to the respective
netfilter NAT rules.
Routing extension: lsrc for ip_route_input
The following patch (which is extracted from 05_nf_reroute-2.4.*,
extended but only compiled) exports a new routing function:
ip_route_input_lookup
which can be used to resolve input route by supplying a local
source IP. This allows packets that are still not SNAT-ed to
be routed accordingly to the new source IP address that they will use
after routing time. This helps Netfilter to use multipath routes
with paths through distinct networks - problem not visible when
the ISPs allow source address spoofing.
- LVS patches
Docs and HOWTOs
- LVS.txt - June 17, 2018.
Design notes for IPVS for Linux 2.4/2.6/3.x/4.x
- LVS_IPSEC.txt - February 17, 2002.
Supporting IPSec protocols in LVS (development HOWTO)
- L4-NAT-HOWTO.txt - June 21, 2001.
LVS-NAT troubleshooting HOWTO
- TUN-HOWTO.txt - April 2, 2020.
LVS-TUN troubleshooting HOWTO
- fib.txt - February 2, 2008.
Forwarding Information Base in Linux
- neigh.pu -
State diagram of Linux Neighbour (PlantUML code) and its
image - neigh.png - February 11, 2023.
Last update on: Sep 16, 2024
Julian Anastasov <ja@ssi.bg>