Bayan shekara guda na ci gaba fakiti tace saki , Haɓakawa azaman maye gurbin iptables, ip6table, arptables da ebtables ta hanyar haɗa hanyoyin tace fakiti don IPv4, IPv6, ARP da gadoji na cibiyar sadarwa. Kunshin nftables ya haɗa da abubuwan tace fakiti waɗanda ke gudana a cikin sararin mai amfani, yayin da aikin matakin kernel ke samar da tsarin nf_tables, wanda ya kasance wani ɓangare na kernel Linux tun lokacin da aka saki 3.13.
Matakan kernel yana ba da keɓantaccen tsari mai zaman kansa kawai wanda ke ba da ayyuka na asali don fitar da bayanai daga fakiti, aiwatar da ayyukan bayanai, da sarrafa kwarara.
Ana tattara ma'anar tacewa kanta da ƙayyadaddun ƙa'idodin ƙa'ida zuwa bytecode a cikin sarari mai amfani, bayan haka ana loda wannan bytecode a cikin kernel ta amfani da mahallin Netlink kuma a aiwatar da shi a cikin injin kama-da-wane na musamman wanda ke tunawa da BPF (Berkeley Packet Filters). Wannan tsarin yana ba ku damar rage girman lambar tacewa da ke gudana a matakin kernel kuma matsar da duk ayyukan ƙayyadaddun ƙa'idodi da dabaru don aiki tare da ladabi zuwa sararin mai amfani.
Manyan sabbin abubuwa:
- Tallafin IPsec, yana ba da damar daidaita adiresoshin rami dangane da fakiti, ID na buƙatar IPsec, da alamar SPI (Tsarin Sigar Tsaro). Misali,
... ipsec a cikin ip saddr 192.168.1.0/24
... ipsec a cikin spi 1-65536Hakanan yana yiwuwa a bincika ko hanya ta ratsa cikin rami na IPsec. Misali, don toshe zirga-zirga ba ta hanyar IPSec ba:
… tace fitarwa rt ipsec bacewar digo
- Taimakawa ga IGMP (Ka'idojin Gudanar da Rukunin Intanet). Misali, zaku iya amfani da doka don watsar da buƙatun zama membobin ƙungiyar IGMP masu shigowa
nft ƙara dokar netdev foo bar igmp nau'in memba-tambayoyin juzu'i
- Yiwuwar amfani da masu canji don ayyana sarƙoƙin miƙa mulki (tsalle / goto). Misali:
ayyana dest = ber
ƙara dokar ip foo bar tsalle $dest - Taimako don abin rufe fuska don gano tsarin aiki (OS yatsa) dangane da ƙimar TTL a cikin taken. Misali, don yiwa fakitin alama dangane da OS mai aikawa, zaku iya amfani da umarnin:
... alamar meta saita osf ttl tsallake taswirar suna {"Linux": 0x1,
"Windows": 0x2,
"MacOS": 0x3,
"ba a sani ba": 0x0}
... osf ttl tsallake sigar "Linux: 4.20" - Ikon daidaita adireshin ARP na mai aikawa da adireshin IPv4 na tsarin manufa. Misali, don ƙara lissafin fakitin ARP da aka aiko daga adireshin 192.168.2.1, zaku iya amfani da doka mai zuwa:
tebur arp x {
sarkar y {
nau'in shigarwar ƙugiya mai mahimmanci tace; manufofin yarda;
arp saddr ip 192.168.2.1 counter fakiti 1 bytes 46
}
} - Taimako don isar da buƙatun bayyane ta hanyar wakili (tproxy). Misali, don tura kira zuwa tashar jiragen ruwa 80 zuwa tashar wakili na 8080:
tebur ip x {
sarkar y {
nau'in tace ƙugiya prerouting fifiko -150; manufofin yarda;
tcp dport 80 tproxy zuwa: 8080
}
} - Taimako don yin alamar kwasfa tare da ikon ƙara samun alamar saiti ta hanyar setsockopt() a cikin yanayin SO_MARK. Misali:
tebur inet x {
sarkar y {
nau'in tace ƙugiya prerouting fifiko -150; manufofin yarda;
tcp dport 8080 alamar kafa alamar soket
}
} - Taimako don tantance sunayen rubutu na fifiko don sarƙoƙi. Misali:
nft ƙara sarkar ip x raw {nau'in tace ƙugiya prerouting fifiko raw; }
nft ƙara sarkar ip x tace {nau'in tace ƙugiya prerouting fifiko tace; }
nft ƙara sarkar ip x filter_later {nau'in tace ƙugiya prerouting fifiko tace + 10; } - Taimako don alamun SELinux (Secmark). Misali, don ayyana alamar "sshtag" a cikin mahallin SELinux, zaku iya gudu:
nft ƙara secmark inet tace sshtag "system_u: object_r: ssh_server_packet_t: s0"
Sannan yi amfani da wannan alamar a cikin dokoki:
nft ƙara mulkin inet tace shigarwar tcp dport 22 meta secmark saita "sshtag"
nft ƙara taswirar inet tace secmapping {nau'in inet_service: maƙiyi; }
nft ƙara element inet tace secmapping {22: "sshtag"}
nft ƙara dokar inet tace shigarwar meta secmark saita tcp dport taswirar @secmapping - Ikon tantance tashar jiragen ruwa da aka sanya wa ladabi a cikin sigar rubutu, kamar yadda aka ayyana su a cikin fayil ɗin /etc/services. Misali:
nft ƙara mulki xy tcp dport "ssh"
nft lissafin dokokin -l
tebur x {
sarkar y {
...
tcp dport "ssh"
}
} - Ikon duba nau'in haɗin yanar gizo. Misali:
ƙara doka inet raw prerouting meta iifkind "vrf" yarda
- Ingantattun goyan baya don sabunta abubuwan da ke cikin saiti ta hanyar ƙayyadaddun tuta a sarari. Misali, don sabunta saitin "s" don ƙara adireshin tushen kuma sake saita shigarwar idan babu fakiti na daƙiƙa 30:
kara tebur x
ƙara saita xs {nau'in ipv4_addr; girman 128; tsawon lokaci 30s; tutoci masu ƙarfi; }
ƙara sarkar xy {nau'in fifikon shigarwar ƙugiya 0; }
ƙara sabuntawa xy @s {ip saddr} - Ikon saita yanayin ƙarewar lokaci daban. Misali, don soke tsohowar lokaci na fakiti masu zuwa tashar jiragen ruwa 8888, zaku iya saka:
tebur ip tace {
ct timeout m-tcp {
yarjejeniya tcp;
l3 ip;
manufofin = {kafa: 100, kusa_wait: 4, rufe: 4}
}
fitarwa sarkar {
...
tcp dport 8888 ct lokacin ƙarewa saita "m-tcp"
}
} - Tallafin NAT don dangin inet:
table inet nat {
...
ip6 daddr ya mutu:: 2:: 1 dnat ya mutu:2::99
} - Ingantattun rahoton kuskuren typo:
nft ƙara sarkar tace gwajin
Kuskure: Babu irin wannan fayil ko kundin adireshi; kina nufin tebur “tace” a family ip?
ƙara gwaji tace sarkar
^^^^^ - Ikon tantance sunaye na mu'amala a cikin saiti:
saita sc {
rubuta inet_service . idan suna
abubuwa = {"ssh" . "Eth0" }
} - An sabunta ƙa'idodi masu gudana:
nft ƙara tebur x
nft ƙara mai gudana x ft {mafi fifikon ƙugiya 0; na'urori = {eth0, wlan0}; }
...
nft ƙara mulkin x ƙaddamar da ip protocol {tcp, udp} ƙara ƙara @ft - Ingantattun tallafin JSON.
source: budenet.ru