Use VTOA to obtain the real address of a client after address translation - Alibaba Cloud Linux

In FULLNAT scenarios, such as when Anti-DDoS Proxy is used, the address of a client is translated to the address of a FULLNAT node. To obtain the real address of the client, you can connect to a backend server that runs the Alibaba Cloud Linux 3 operating system with kernel version 5.10.134-15 or later and on which VTOA is installed, and then call the getsockopt or getpeername function by using the TCP Option Address (TOA) protocol. IPv4 and IPv6 addresses are supported.

Limits

Operating system requirements: Alibaba Cloud Linux 3 with kernel version 5.10.134-15 or later

Note

To query the kernel version of an image, run the uname -r command.

Scenarios

Anti-DDoS Proxy: The client address of the user in a request is translated on the forwarding node in the FULLNAT network. The forwarding node in the following figure is an Anti-DDoS node. The TOA mechanism is enabled on the Anti-DDoS node, which encapsulates the client information, including the real IP address and port number of the client, into a TCP option and delivers the information to the backend origin server. The backend origin server uses VTOA to obtain the real IP address of the client.

Alibaba Cloud Content Delivery Network (CDN) acceleration: Service requests from a client are forwarded by an Alibaba Cloud CDN point of presence (POP) to an origin server. The origin server uses VTOA to obtain the real address of the client.

Install and configure VTOA

Warning

VTOA can change the behaviors of the system when the system calls the getpeername function. This may impact your business in unexpected ways. Before you install VTOA, make sure that you actually require the feature.

Install and uninstall VTOA

Install VTOA.
```
sudo yum install vtoa -y
```
Uninstall VTOA.
```
sudo yum remove vtoa -y
```

Note

After the installation is complete, VTOA takes effect. By default, VTOA automatically starts on system startup. After the uninstallation is complete, VTOA becomes invalid.

Configure VTOA

VTOA takes effect immediately after it is installed. By default, VTOA automatically starts on system startup. In most cases, you do not need to configure VTOA.

Start VTOA.
```
sudo systemctl start vtoa
```
Stop VTOA.
```
sudo systemctl stop vtoa
```
Configure VTOA to automatically start on system startup.
```
sudo systemctl enable vtoa
```
Prevent VTOA from automatically starting on system startup.
```
sudo systemctl disable vtoa
```
Check the status of VTOA.
```
systemctl status vtoa
```

Obtain the real address of a client

After VTOA is started, you can call the getsockopt or getpeername function to obtain the real address of a client.

(Recommended) Call the getsockopt function

Important

Make sure that the kernel version is 5.10.134-17 or later. To query the kernel version, run the uname -r command.

VTOA provides a new parameter: optname, which can be used to obtain the real address of a client. You must set the optname parameter to 1348. Sample C code:

struct sockaddr caddr;
int optlen = sizeof(caddr);
int optname = 1348;

getsockopt(fd, IPPROTO_IP, optname, &caddr, &optlen);
// The value of the caddr.sa_family parameter may be AF_INET, which indicates an IPv4 address, or AF_INET6, which indicates an IPv6 address.

Call the getpeername function

Important

Call the getpeername function in Alibaba Cloud Linux 3 with kernel version 5.10.134-15 or later. The function may be deprecated in the future.

After VTOA is started, VTOA returns real client address information. Sample C code:

struct sockaddr caddr;
int caddr_len = sizeof(caddr);

getpeername(fd, &caddr, &caddr_len);
// The value of the caddr.sa_family parameter may be AF_INET, which indicates an IPv4 address, or AF_INET6, which indicates an IPv6 address.
// The accept() function can also be used to obtain the real address of a client. The usage is similar to the getpeername function.

Supported TOA option formats

The address information that VTOA resolves is carried by a TCP option and must meet specific format requirements. If a TCP option does not meet the format requirements, VTOA ignores the TCP option. This does not affect applications and is equivalent to not starting VTOA.

For IPv4 TOA, the opcode value is 254.

The opsize value is 8 and the ip and port values are in network order.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     opcode    |    opsize     |              port             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                              ip                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

For IPv6 TOA, the opcode value is 253.

The opsize value is 20 and the ip and port values are in network order.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     opcode    |    opsize     |              port             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   +                                                               +
   |                                                               |
   +                              ip                               +
   |                                                               |
   +                                                               +
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+