This document describes how the layer-4 (TCP) CLB service obtains the real client IP address via TOA in hybrid cloud deployment and NAT64 CLB scenarios.
Only NAT64 CLB instances in Beijing, Shanghai, and Guangzhou regions can obtain the real client IP address via TOA.
Only layer-4 (TCP) CLB instances can obtain the real client IP address via TOA, while layer-4 (UDP) and layer-7 (HTTP/HTTPS) CLB instances cannot.
This feature is in beta testing. To try it out, please submit a ticket.
Use Cases
Hybrid cloud deployment
In hybrid cloud deployment scenarios, IP addresses of the IDC and VPC may overlap, so an SNAT IP address is required. For the server, the real client IP address is invisible and needs to be obtained via TOA.
NAT64 CLB
In NAT64 CLB scenarios, the real client IPv6 address is translated to a public IPv4 address, which is invisible to the real server.
In this case, the real client IP address can be obtained via TOA, that is, the TCP packets transmit the real client IP address to the server after you insert the real client IP address into the field TCP option, and the client can obtain the real client IP address by calling the API of the TOA kernel module.
Restrictions
Resource limits
The kernel version of the TOA compilation environment must be consistent with that of the service environment.
In a container environment, the TOA kernel module needs to be loaded in the host.
To load the TOA kernel module, the root permission is required.
Compatibility limits
Compatibility limitsUDP listeners cannot obtain the real client IP address via TOA.
If TOA-related operations are already performed on devices between the client and the real server, the real server may fail to obtain the real client IP address.
After TOA is inserted, it takes effect only on new connections.
TOA may degrade the server performance as it needs to perform additional processing such as extracting the address from the field TCP option.
Compatibility issues may come up when Tencent Cloud TOA is used with other user-defined TOA modules.
Tencent Cloud TOA is embedded in TencentOS and can be used to obtain the real client IP address in hybrid cloud deployment scenarios. If the server is run on TencentOS and deployed in a hybrid cloud, you can directly run the command modprobe toa to load TOA. If the server is run on Linux, Linux TOA should be used instead.
2. After decompression is completed, run the cd command to access the decompressed folder and run the following module loading command:
insmod toa.ko
3. Run the following command to check whether TOA has been loaded. If you see the message "toa load success", the loading is successful.
dmesg -T |grep TOA
4. After TOA is loaded, load the toa.ko file in the startup script (the toa.ko file needs to be reloaded if the server is restarted).
5. (Optional) If TOA is no longer needed, run the following command to uninstall it:
rmmod toa
6. (Optional) Run the following command to check whether the module is uninstalled. If you see the message "TOA unloaded", the uninstallation is successful.
dmesg -T
If you cannot find an installation package above for your OS version, you can download the general source package for Linux OS and compile it to obtain the toa.ko file. This general version supports most Linux distributions (e.g., CentOS 7, CentOS 8, Ubuntu 16.04, and Ubuntu 18.04).
Note:
Linux kernels and Linux distributions are varied, and that may cause compatibility issues. We recommend compiling the TOA source package on your OS before using it.
1. Download the source package.
Note:
If your OS is Linux, download the Linux TOA source package; if it is TencentOS, download the TLinux TOA source package.
2. To compile the Linux environment for TOA, you need to install the GCC compiler, Make tool, and kernel development package first.
Installation procedure on CentOS
yum install gcc
yum install make
//Install the kernel development package. The version of the package header file and library must be consistent with the kernel version.
yum install kernel-devel-`uname -r`
yum install devtoolset-8
Installation procedure on Ubuntu and Debian
apt-get install gcc
apt-get install make
//Install the kernel development package. The version of the package header file and library must be consistent with the kernel version.
apt-get install linux-headers-`uname -r`
apt-get install devtoolset-8
Installation procedure on SUSE
zypper install gcc
zypper install make
//Install the kernel development package. The version of the package header file and library must be consistent with the kernel version.
zypper install kernel-default-devel
zypper install devtoolset-8
3. Change the PATH environment variable to PATH=/opt/rh/devtoolset-8/root/bin:$PATH. Before compiling, make sure that the Kernel version matches the GCC version. You can run dmesg | grep 'Linux version' to check the Kernel version.
4. Compile the source package to generate the toa.ko file. If warning and error are not prompted during the compilation process, the compilation is successful. Take the source package for Linux OS as an example:
tar zxvf tgw_toa_linux_ver.tar.gz
cd tgw_toa_linux_ver//Enter the decompressed directory tgw_toa
make
5. After the compilation is successful, perform step 2 to load TOA.
Adapting the Real Sever
Hybrid cloud deployment
When adapting the real server in a hybrid cloud, you only need to call the standard Linux network programming API to obtain the real client IP address without code changes. The following shows a code sample.
struct sockaddr v4addr;
len = sizeof(struct sockaddr);
//`get_peer_name` is the standard Linux network programming API.
if (get_peer_name(client_fd, &v4addr, &len) == 0) {
To obtain the real client IP address in NAT64 CLB scenarios, you need to modify the source code after the toa.ko kernel module is inserted into the real server and TOA will pass the IP address to the real server.
1. Define a data structure to store the IP address.
struct toa_nat64_peer {
struct in6_addr saddr;
uint16_t sport;
};
....
struct toa_nat64_peer client_addr;
....
2. Define TOA variables and make calls to obtain the real client IPv6 address.
To obtain the real client IP address in the scenario where NAT64 CLB is used in a hybrid cloud, you need to modify the source code after the toa.ko kernel module is inserted into the real server and TOA will pass the IP address to the real server.
A complete configuration sample is as follows:
//Define TOA variables. Set `TOA_BASE_CTL` to 4096.
enum {
TOA_BASE_CTL = 4096,
TOA_SO_SET_MAX = TOA_BASE_CTL,
TOA_SO_GET_LOOKUP = TOA_BASE_CTL,
TOA_SO_GET_MAX = TOA_SO_GET_LOOKUP,
};
//Define a data structure to store the IP address.
struct toa_nat64_peer {
struct in6_addr saddr;
uint16_t sport;
};
//Declare the variable that is used to store the address.
struct toa_nat64_peer client_addr_nat64;
.......
//Get the file descriptor of the client, where `listenfd` is the listening file descriptor of the server.
//Make calls to get the real client IP in the NAT64 scenario.
char from[40];
int len = sizeof(struct toa_nat64_peer);
int ret;
ret = getsockopt(client_fd, IPPROTO_IP, TOA_SO_GET_LOOKUP, &client_addr_nat64, &len);
To ensure execution stability, this kernel module allows you to monitor status. After inserting the toa.ko kernel module, you can monitor the TOA working status on the host of the container in either of the following ways.
Method 1: Checking the IPv6 address stored in TOA
Run the following command to check the IPv6 address stored in TOA:
Note:
Executing this command may degrade performance. Proceed with caution.
cat /proc/net/toa_table
Method 2: Checking TOA metrics
Run the following command to check TOA metrics:
cat /proc/net/toa_stats
The monitoring metrics are described as follows:
Metric
Description
syn_recv_sock_toa
Receives connections with TOA information.
syn_recv_sock_no_toa
Receives connections without TOA information.
getname_toa_ok
This count increases when you call getsockopt and obtain the source IP address successfully or when you call accept to receive client requests.
getname_toa_mismatch
This count increases when you call getsockopt and obtain a source IP address that does not match the required type. For example, if a client connection contains a source IPv4 address whereas you obtain an IPv6 address, the count will increase.
getname_toa_empty
This count increases when the getsockopt function is called in a client file descriptor that does not contain TOA.
ip6_address_alloc
Allocates space to store the information when TOA obtains the source IP address and source port saved in the TCP data packet.
ip6_address_free
When the connection is released, TOA will release the memory previously used to save the source IP and source port. If all connections are closed, the total count of ip6_address_alloc for each CPU should be equal to the count of this metric.
FAQs
Why do I need to modify the server program after TOA is inserted for NAT64 CLB?
This is because that the client IPv4 address is converted to an IPv6 address in the hybrid cloud deployment scenario, which is different from the NAT64 CLB scenario where the client IP type remains unchanged. Therefore, you need to modify the server program so that the server can understand the IPv6 address.
How do I know my OS is based on the Linux distribution or TLinux kernel?
Run the following command to check your kernel version. If you see tlinux in the command output, you are using TLinux OS, while linux indicates that you are using Linux OS.
uname -a
You can also check the version by running the following command. If tlinux or tl2 is returned, you are using TLinux OS.
rpm -qa | grep kernel
How do I perform preliminary checks when I failed to obtain the source IP address?
1. Run the following command to check whether TOA has been loaded:
lsmod |grep toa
2. Check whether the server program has made correct calls to obtain the source IP address. You can refer to Adapting the Real Sever.
3. Capture TCP packets on the server and check whether the packets contain the source IP information.
If unknown-200 is displayed in the tcp option output, the real client IP address after SNAT is inserted into the field tcp option.
If unknown-253 is displayed, the real client IPv6 address is inserted in the NAT64 scenario.
4. If the packet containing the TOA address has been sent to the server, compile toa.ko to a DEBUG version, and further locate the problem through kernel logs. In the downloaded TOA source directory, add the DEBUG compilation option to the make file.
5. Run the following commands to compile again:
make clean
make
6. Run the following commands to uninstall the original toa.ko file and install the latest one.
rmmod toa
insmod ./toa.ko
7. Run the following command to observe kernel logs.
dmesg -Tw
If you see the following message, TOA is working normally. You can further check whether the server program has made calls to obtain the real client IP address, or whether the API is used incorrectly.
8. If you failed to find out the problem with the preceding steps, please submit a ticket.
Yes
No
Was this page helpful?