背景说明:
iptables的contrack模块,因为业务量大,而导致drop packet的状况,现针对线上机器进行灰度,灰度的原则是:没有使用iptable,则将其禁用并修改hash表,如果有使用iptables,则直接修改hash表即可。
脚本内容:
#!/bin/bash iptables_init="/etc/init.d/iptables" date=`date +%F` #将5.9和6.3系统的iptables相关的模块禁用,包括conntrack,filter表,nat表,mangle表 function disable_modules_5.9() { cat >/etc/modprobe.d/kugou.conf <<EOF install nfnetlink /bin/true install ip_conntrack /bin/true install xt_conntrack /bin/true install ip6_tables /bin/true install ip6table_filter /bin/true install iptable_filter /bin/true install ebtables /bin/true install ebtable_nat /bin/true install ip_nat /bin/true install iptable_nat /bin/true install iptable_mangle /bin/true install ip6table_mangle /bin/true EOF sed -i ‘s/^[[:space:]]*//g‘ /etc/modprobe.d/kugou.conf } function disable_modules_6.3() { cat >/etc/modprobe.d/kugou.conf <<EOF install nfnetlink /bin/true install nf_conntrack /bin/true install nf_defrag_ipv4 /bin/true install nf_conntrack_ipv4 /bin/true install ip6_tables /bin/true install ip6table_filter /bin/true install iptable_filter /bin/true install ebtable_nat /bin/true install ebtables /bin/true install nf_nat /bin/true install iptable_nat /bin/true install iptable_mangle /bin/true install ip6table_mangle /bin/true EOF sed -i ‘s/^[[:space:]]*//g‘ /etc/modprobe.d/kugou.conf } #调整5.9和6.3系统的内核bucket参数,包括conntrack支持最大的数目和会话超时时间 function setup_bucket_5.9() { cp ${iptables_init} /root/iptables-${date} sed -i ‘/\<ip_conntrack_max\>/ d‘ ${iptables_init} sed -i ‘/\<ip_conntrack_tcp_timeout_syn_recv\>/ d‘ ${iptables_init } sed -i ‘/\<ip_conntrack_tcp_timeout_established\>/ d‘ ${iptables_init} sed -i ‘/touch $VAR_SUBSYS_IPTABLES/ i\ echo 1048576 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max‘ ${iptables_init} sed -i ‘/touch $VAR_SUBSYS_IPTABLES/ i\ echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv‘ ${iptables_init} sed -i ‘/touch $VAR_SUBSYS_IPTABLES/ i\ echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established‘ ${iptables_init} echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv echo 1048576 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max } function setup_bucket_6.3() { cp ${iptables_init} /root/iptables-${date} sed -i ‘/\<nf_conntrack_max\>/ d‘ ${iptables_init} sed -i ‘/\<nf_conntrack_tcp_timeout_established\>/ d‘ ${iptables_init} sed -i "/touch $VAR_SUBSYS_IPTABLES/ i\ echo 655350 > /proc/sys/net/nf_conntrack_max" ${iptables_init} sed -i "/touch $VAR_SUBSYS_IPTABLES/ i\ echo 655350 > /proc/sys/net/netfilter/nf_conntrack_max" ${iptables_init} sed -i "/touch $VAR_SUBSYS_IPTABLES/ i\ echo 60 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established" ${iptables_init} echo 1048576 > /proc/sys/net/nf_conntrack_max echo 1048576 > /proc/sys/net/netfilter/nf_conntrack_max echo 60 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established } #禁用iptables客户端 function disable_iptables_client() { if [ -e /sbin/iptables ];then mv /sbin/iptables /sbin/selbatpi else echo "iptables客户端已经设置好" fi } function warn_logs() { if [ -e /usr/bin/curl ];then curl http://10.1.2.128/iptables_on >/dev/null fi } #功能调用,对于已经开启iptables的机器,调整bucket参数,告警上报;对于未开启的iptables的机器,则调整bucket参数,禁用模块,禁用iptables客户端 function main() { cp ${iptables_init} ${date}-iptables osversion=`awk ‘{print $3}‘ /etc/redhat-release` case ${osversion} in 5.[0-9]) if [ `lsmod |grep iptables | wc -l` -eq 0 ];then disable_modules_5.9 disable_iptables_client else warn_logs fi setup_bucket_5.9 ;; 6.[0-6]) if [ `lsmod |grep iptables | wc -l` -eq 0 ];then disable_modules_6.3 disable_iptables_client else warn_logs fi setup_bucket_6.3 ;; *) echo "当前操作系统版本不支持,对应的版本为:${osversion}" exit 1 ;; esac } main
时间: 2024-11-03 21:36:37