ProHoster > Блог > labaran intanet > nftables fakiti tace sakin 0.9.4

nftables fakiti tace sakin 0.9.4

aka buga fakiti tace saki 0.9.4, Haɓakawa azaman maye gurbin iptables, ip6table, arptables da ebtables ta hanyar haɗa hanyoyin tace fakiti don IPv4, IPv6, ARP da gadoji na cibiyar sadarwa. Kunshin nftables ya haɗa da abubuwan tace fakiti waɗanda ke gudana a cikin sararin mai amfani, yayin da aikin matakin kernel ke samar da tsarin nf_tables, wanda ya kasance wani ɓangare na kernel na Linux tun lokacin da aka saki 3.13. Canje-canjen da suka wajaba don sakin nftables 0.9.4 don aiki an haɗa su a cikin reshen kernel na gaba Linux 5.6.

Matakan kernel yana ba da ƙa'idar ƙa'ida ta ƙa'ida mai zaman kanta wacce ke ba da ayyuka na asali don cire bayanai daga fakiti, aiwatar da ayyukan bayanai, da sarrafa kwarara. Ana tattara ƙa'idodin tacewa da ƙayyadaddun ƙa'idodin ƙa'idodi zuwa bytecode a cikin sarari mai amfani, bayan haka ana loda wannan bytecode a cikin kernel ta amfani da mahallin Netlink kuma ana aiwatar da shi a cikin kwaya a cikin na'ura ta musamman mai kama da BPF (Berkeley Packet Filters). Wannan tsarin yana ba ku damar rage girman lambar tacewa da ke gudana a matakin kernel kuma matsar da duk ayyukan ƙa'idodi da dabaru don aiki tare da ladabi zuwa sararin mai amfani.

Manyan sabbin abubuwa:

  • Taimako don jeri a cikin haɗin kai (haɗuwa, wasu tarin adireshi da tashoshin jiragen ruwa waɗanda ke sauƙaƙe kwatance). Misali, ga saitin “whitelist” wanda abubuwan da aka makala su ne, tantance tutar “tazara” zai nuna cewa saitin na iya haɗawa da jeri a cikin abin da aka makala (don abin da aka makala "ipv4_addr . ipv4_addr. inet_service" a baya yana yiwuwa a jera ainihin madaidaicin. matches na form "192.168.10.35. 192.68.11.123", kuma yanzu za ka iya saka kungiyoyin na adiresoshin "80-192.168.10.35-192.168.10.40"

    tebur ip foo {
    saita jerin abubuwan farin ciki {
    rubuta iPV4_addr. ipv4_addr. inet_service
    tazarar tutoci
    abubuwa = {192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125. 80}
    }

    sarkar sarka {
    irin tace ƙugiya prerouting fifiko tace; faduwar siyasa;
    ip sadar. ip baba. tcp dport @whitelist yarda
    }
    }

  • A cikin saiti da lissafin taswira, yana yiwuwa a yi amfani da umarnin "typeof", wanda ke ƙayyade tsarin kashi lokacin daidaitawa.
    Alal misali:

    tebur ip foo {
    saita jerin abubuwan farin ciki {
    nau'in ip saddr
    abubuwa = {192.168.10.35, 192.168.10.101, 192.168.10.135}
    }

    sarkar sarka {
    irin tace ƙugiya prerouting fifiko tace; faduwar siyasa;
    ip daddr @whitelist yarda
    }
    }

    tebur ip foo {
    taswira addr2mark {
    nau'in ip saddr: alamar meta
    abubuwa = {192.168.10.35: 0x00000001, 192.168.10.135: 0x00000002 }
    }
    }

  • Ƙara ikon yin amfani da haɗin gwiwa a cikin ɗaurin NAT, wanda ke ba ku damar ƙididdige adireshi da tashar jiragen ruwa lokacin da ke bayyana canje-canjen NAT dangane da jerin taswira ko saiti masu suna:

    nft ƙara mulkin ip nat pre dnat ip addr . tashar jiragen ruwa zuwa taswirar ip saddr {1.1.1.1: 2.2.2.2. talatin}

    nft ƙara taswirar ip nat inda ake nufi {buga ipv4_addr. inet_service: ipv4_addr. inet_service \; }
    nft add mulkin ip nat pre dnat ip addr . tashar jiragen ruwa zuwa ip saddr. tcp dport map @destinations

  • Taimako don haɓaka kayan masarufi tare da wasu ayyukan tacewa da katin cibiyar sadarwa ke gudanarwa. Ana kunna hanzari ta hanyar amfani da ethtool ("ethtool -K eth0 hw-tc-offload on"), bayan haka an kunna shi a cikin nftables don babban sarkar ta amfani da tutar "offload". Lokacin amfani da Linux kernel 5.6, ana tallafawa haɓaka kayan masarufi don daidaita filin kai da dubawa mai shigowa a hade tare da karɓa, zubarwa, kwafi (dup), da fakitin turawa (fwd). A cikin misalin da ke ƙasa, ana yin ayyukan fakitin fakiti masu zuwa daga adireshin 192.168.30.20 a matakin katin sadarwar, ba tare da wuce fakitin zuwa kernel ba:

    # babban fayil.nft
    tebur netdev x {
    sarkar y {
    nau'in tace ƙugiya ingress na'urar eth0 fifiko 10; saukar da tutoci;
    ip saddr 192.168.30.20 sauke
    }
    }
    # nft -f file.nft

  • Ingantattun bayanai game da wurin kuskure a cikin dokoki.

    # nft share mulkin ip yz rike 7
    Kuskure: An kasa aiwatar da doka: Babu irin wannan fayil ko kundin adireshi
    share tsarin ip yz handle 7
    ^

    # nft share tsarin ip xx 7
    Kuskure: An kasa aiwatar da doka: Babu irin wannan fayil ko kundin adireshi
    share tsarin ip xx 7
    ^

    # nft share tebur twst
    Kuskure: Babu irin wannan fayil ko kundin adireshi; Kuna nufin tebur ‘test' a cikin iyali ip?
    share tebur twst
    Ƙari

    Misali na farko yana nuna cewa tebur “y” baya cikin tsarin, na biyu kuma mai sarrafa “7” ya ɓace, na uku kuma ana nuna alamar rubutu lokacin buga sunan tebur.

  • Ƙarin tallafi don duba mu'amalar bawa ta hanyar tantance "meta sdif" ko "meta sdifname":

    ... meta sdifname vrf1 ...

  • Ƙara tallafi don ayyukan motsi na dama ko hagu. Misali, don matsawa lakabin fakitin da ke akwai hagu da 1 bit kuma saita ƙarami zuwa 1:

    Alamar meta saita alamar meta lshift 1 ko 0x1…

  • An aiwatar da zaɓin "-V" don nuna ƙarin bayanin sigar.

    # nft -V
    nfttables v0.9.4 (Jive a biyar)
    cli: readline
    json: iya
    mingmp: ba
    libxtables: iya

  • Dole ne a bayyana zaɓuɓɓukan layin umarni yanzu kafin umarni. Misali, kuna buƙatar saka “nft -a list ruleset”, kuma gudanar da “nft list ruleset -a” zai haifar da kuskure.

    source: budenet.ru

Add a comment