1 引言

在使用Keepalived部署DNS(nsd)高可用集群时，不使用LVS，仅仅使用Keepalived实现双主模式，在另外一台服务器发起dig，出现reply from unexpected source。

dig @192.168.0.51 www.example.com

;; reply from unexpected source: 192.168.0.3#53, expected 192.168.0.51#53

192.168.0.51未VIP，192.168.0.3为网卡原始ip
在服务器上抓包，的确收到目的地址为192.168.0.51的报文，但是回复报文的源IP却变为192.168.0.3，但是奇怪一点的是使用tcp模式发起dig请求却是正常的。

2 IP_TRANSPARENT简介

经过网络了解，发现有个socket选项IP_TRANSPARENT是针对类似问题，查看Linux manual有：

IP_TRANSPARENT (since Linux 2.6.24)
Setting this boolean option enables transparent proxying on
this socket. This socket option allows the calling applica‐
tion to bind to a nonlocal IP address and operate both as a
client and a server with the foreign address as the local end‐
point. NOTE: this requires that routing be set up in a way
that packets going to the foreign address are routed through
the TProxy box (i.e., the system hosting the application that
employs the IP_TRANSPARENT socket option). Enabling this
socket option requires superuser privileges (the CAP_NET_ADMIN
capability).

          TProxy redirection with the iptables TPROXY target also
          requires that this option be set on the redirected socket.

简单来说，使用这个选项可以socket绑定一个非本地的地址，实现所谓的透明代理（TProxy, Transparent Proxy）,通过Keepalived实现IP漂移时，VIP就是一个nonlocal IP,这段文字还是很难理解，包括解释不了为什么TCP可以而UDP却不可以的疑问，不过可以参考PowerDNS的一篇文章Linux transparent proxy support，解释的比较清楚。

3 IP_TRANSPARENT使用示例

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <iostream>

int create_other_sock()
{
    //
    int fd = socket(AF_INET, SOCK_DGRAM, 0);
    int ret = 0;
    int value = 1;
    ret = setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value));
    if(ret != 0)
    {
        std::cout << "setsockopt IP_TRANSPARENT failed" << std::endl;
        std::cout << strerror(errno) << std::endl;
        exit(1);
    }
    // local address is not belong the local machine
    struct sockaddr_in addr;
    addr.sin_family = AF_INET;
    addr.sin_port = htons(53);
    uint32_t addr_local = 0;
    ret = inet_pton(AF_INET, "192.168.50.100", &addr_local);
    if(ret != 1)
    {
        std::cout << "inet_pton failed" << std::endl;
        close(fd);
        exit(1);
    }
    addr.sin_addr.s_addr = addr_local;

    ret = bind(fd, (struct sockaddr*)&addr, sizeof(addr));
    if(ret !=0)
    {
        std::cout << strerror(errno) << std::endl;
        std::cout << "bind failed" << std::endl;
        exit(1);
    }
    return fd;
}

int main()
{
    int fd_other = create_other_sock();

    for(;;)
    {
        char buf[1024] = {0};
        struct sockaddr_in remote_addr;
        memset(&remote_addr, 0, sizeof(remote_addr));
        socklen_t addr_len;
        
        int len = recvfrom(fd_other, buf, 1024, 0, (struct sockaddr*)&remote_addr, &addr_len);
        std::cout << "len = " << len << std::endl;
        sendto(fd_other, buf, len, 0, (struct sockaddr*)&remote_addr, addr_len);
    }

    return 0;
};

发现使用了IP_TRANSPARENT可以绑定任意一个IP地址，包括8.8.8.8从而实现流量拦截。

3 nsd配置使用IP_TRANSPARENT

nsd.conf配置里有IP_TRANSPARENT的选项，

ip-address: 192.168.0.52
ip-address: 192.168.0.51

# Allow binding to non local addresses. Default no.
ip-transparent: yes

配置了重启nsd，再次dig就不会出现之前描述的问题，并且需要注意的是使用IP_TRANSPARENT监听IP列表里必须指明VIP列表，否则还是会出现问题。

4 参考文章

• Keepalived实现高可用-双主模式
• Linux透明代理