1 引言

在使用Keepalived部署DNS(nsd)高可用集群時溪北，不使用LVS肉盹，僅僅使用Keepalived實現(xiàn)雙主模式，在另外一臺服務(wù)器發(fā)起dig，出現(xiàn)reply from unexpected source沪么。

dig @192.168.0.51 www.example.com

;; reply from unexpected source: 192.168.0.3#53, expected 192.168.0.51#53

192.168.0.51未VIP，192.168.0.3為網(wǎng)卡原始ip
在服務(wù)器上抓包锌半，的確收到目的地址為192.168.0.51的報文禽车，但是回復(fù)報文的源IP卻變?yōu)?code>192.168.0.3，但是奇怪一點的是使用tcp模式發(fā)起dig請求卻是正常的刊殉。

2 IP_TRANSPARENT簡介

經(jīng)過網(wǎng)絡(luò)了解殉摔，發(fā)現(xiàn)有個socket選項IP_TRANSPARENT是針對類似問題，查看Linux manual有：

IP_TRANSPARENT (since Linux 2.6.24)
Setting this boolean option enables transparent proxying on
this socket. This socket option allows the calling applica‐
tion to bind to a nonlocal IP address and operate both as a
client and a server with the foreign address as the local end‐
point. NOTE: this requires that routing be set up in a way
that packets going to the foreign address are routed through
the TProxy box (i.e., the system hosting the application that
employs the IP_TRANSPARENT socket option). Enabling this
socket option requires superuser privileges (the CAP_NET_ADMIN
capability).

          TProxy redirection with the iptables TPROXY target also
          requires that this option be set on the redirected socket.

簡單來說记焊，使用這個選項可以socket綁定一個非本地的地址逸月，實現(xiàn)所謂的透明代理（TProxy, Transparent Proxy）,通過Keepalived實現(xiàn)IP漂移時，VIP就是一個nonlocal IP,這段文字還是很難理解遍膜，包括解釋不了為什么TCP可以而UDP卻不可以的疑問碗硬，不過可以參考PowerDNS的一篇文章Linux transparent proxy support，解釋的比較清楚瓢颅。

3 IP_TRANSPARENT使用示例

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <iostream>

int create_other_sock()
{
    //
    int fd = socket(AF_INET, SOCK_DGRAM, 0);
    int ret = 0;
    int value = 1;
    ret = setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value));
    if(ret != 0)
    {
        std::cout << "setsockopt IP_TRANSPARENT failed" << std::endl;
        std::cout << strerror(errno) << std::endl;
        exit(1);
    }
    // local address is not belong the local machine
    struct sockaddr_in addr;
    addr.sin_family = AF_INET;
    addr.sin_port = htons(53);
    uint32_t addr_local = 0;
    ret = inet_pton(AF_INET, "192.168.50.100", &addr_local);
    if(ret != 1)
    {
        std::cout << "inet_pton failed" << std::endl;
        close(fd);
        exit(1);
    }
    addr.sin_addr.s_addr = addr_local;

    ret = bind(fd, (struct sockaddr*)&addr, sizeof(addr));
    if(ret !=0)
    {
        std::cout << strerror(errno) << std::endl;
        std::cout << "bind failed" << std::endl;
        exit(1);
    }
    return fd;
}

int main()
{
    int fd_other = create_other_sock();

    for(;;)
    {
        char buf[1024] = {0};
        struct sockaddr_in remote_addr;
        memset(&remote_addr, 0, sizeof(remote_addr));
        socklen_t addr_len;
        
        int len = recvfrom(fd_other, buf, 1024, 0, (struct sockaddr*)&remote_addr, &addr_len);
        std::cout << "len = " << len << std::endl;
        sendto(fd_other, buf, len, 0, (struct sockaddr*)&remote_addr, addr_len);
    }

    return 0;
};

發(fā)現(xiàn)使用了IP_TRANSPARENT可以綁定任意一個IP地址恩尾，包括8.8.8.8從而實現(xiàn)流量攔截。

3 nsd配置使用IP_TRANSPARENT

nsd.conf配置里有IP_TRANSPARENT的選項挽懦，

ip-address: 192.168.0.52
ip-address: 192.168.0.51

# Allow binding to non local addresses. Default no.
ip-transparent: yes

配置了重啟nsd翰意，再次dig就不會出現(xiàn)之前描述的問題，并且需要注意的是使用IP_TRANSPARENT監(jiān)聽IP列表里必須指明VIP列表信柿，否則還是會出現(xiàn)問題冀偶。

4 參考文章

• Keepalived實現(xiàn)高可用-雙主模式
• Linux透明代理