ProHoster > Блог > labaran intanet > nftables fakiti tace sakin 0.9.9

nftables fakiti tace sakin 0.9.9

An saki matattarar fakitin nftables 0.9.9. Yana haɗa hanyoyin tace fakiti don IPv4, IPv6, ARP, da gadojin sadarwa (wanda aka yi niyya a matsayin madadin iptables, ip6table, arptables, da ebtables). An saki ɗakin karatu na libnftnl 1.2.0 mai rakiya, wanda ke ba da ƙaramin API don hulɗa da tsarin nf_tables, a lokaci guda. An haɗa canje-canjen da ake buƙata don nftables 0.9.9 cikin kernel. Linux 5.13-rc1.

Kunshin nftables ya ƙunshi abubuwan tace fakiti waɗanda ke aiki a cikin sararin mai amfani, yayin da aikin matakin kernel ke samar da shi ta hanyar tsarin nf_tables, wanda yake ɓangare na kernel. Linux Tun daga fitowar 3.13, hanyar sadarwa mai zaman kanta ta hanyar yarjejeniya ce kawai aka samar a matakin kernel, wanda ke ba da ayyuka na asali don cire bayanai daga fakiti, gudanar da ayyukan bayanai, da kuma sarrafa kwararar bayanai.

Tacewar tana da dokoki da kansu kuma ana tattara masu sarrafa takamaiman yarjejeniya zuwa bytecode a cikin sararin mai amfani, bayan haka ana ɗora wannan bytecode a cikin kernel ta amfani da hanyar haɗin Netlink kuma ana aiwatar da shi a cikin kernel a cikin wani tsari na musamman. injin kama-da-wane, wanda ke kama da BPF (Berkeley Packet Filters). Wannan hanyar tana ba da damar rage girman lambar tacewa da ke gudana a matakin kernel kuma tana motsa duk nazarin dokoki da dabaru na yarjejeniya zuwa sararin mai amfani.

Manyan sabbin abubuwa:

  • An aiwatar da ikon matsar da aiki mai gudana zuwa gefen adaftar hanyar sadarwa, an kunna ta ta amfani da tutar 'offload'. Flowtable wata hanya ce ta inganta hanyar jujjuyawar fakiti, inda ake amfani da cikakkiyar saƙon duk sarƙoƙi na sarrafa ƙa'ida zuwa fakiti na farko kawai, kuma duk sauran fakitin da ke cikin kwarara ana tura su kai tsaye. tebur ip duniya {flowtable f {ƙugiya ingress fifiko tace + 1 na'urorin = {lan3, lan0, wan} tutoci offload } sarkar gaba {nau'in tace ƙugiya gaba fifiko tace; manufofin yarda; ip protocol {tcp, udp} flow add @f} sarkar post {nau'in nat ƙugiya postrouting fifiko tace; manufofin yarda; oifname "wan" masquerade } }
  • Ƙara goyon baya don haɗa tutar mai shi zuwa tebur don tabbatar da keɓantaccen amfani da tebur ta tsari. Lokacin da tsari ya ƙare, teburin da ke da alaƙa da shi za a share ta atomatik. Ana nuna bayanai game da tsarin a cikin jujjuya dokokin ta hanyar yin sharhi: tebur ip x {# progname nft flags mai sarkar y {nau'in tace ƙugiya shigar da fifikon fifiko; manufofin yarda; fakiti 1 bytes 309} }
  • Ƙarin tallafi don ƙayyadaddun IEEE 802.1ad (VLAN stacking ko QinQ), wanda ke bayyana hanya don musanya alamun VLAN da yawa a cikin firam ɗin Ethernet guda ɗaya. Misali, don duba nau'in firam ɗin Ethernet na waje 8021ad da vlan id=342, zaku iya amfani da ginin ... ether type 802.1ad vlan id 342 don bincika nau'in firam ɗin Ethernet na waje 8021ad/vlan id=1, an saka 802.1 q/vlan id=2 da ƙarin fakitin IP: ... ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan nau'in ip counter
  • Ƙarin tallafi don sarrafa albarkatu ta amfani da haɗaɗɗiyar rukunin ƙungiyoyin v2. Babban bambanci tsakanin ƙungiyoyin v2 da v1 shine amfani da tsarin ƙungiyoyin gama gari don kowane nau'in albarkatu, maimakon matsayi daban-daban don rarraba albarkatun CPU, don daidaita yawan ƙwaƙwalwar ajiya, da na I/O. Misali, don bincika ko kakan soket a matakin farko na cgroupv2 ya dace da mashin "system.slice", zaka iya amfani da ginin: ... soket cgroupv2 matakin 1 "system.slice"
  • An ƙara ikon duba abubuwan da ke cikin fakitin SCTP (ayyukan da ake buƙata don aiki za su bayyana a cikin kernel Linux 5.14). Misali, don duba ko fakiti ya ƙunshi guntu mai nau'in 'bayanai' da filin 'nau'in': … bayanan guntu na sctp sun wanzu … nau'in bayanai na sctp guntu 0
  • An haɓaka aiwatar da aikin lodin ƙa'idar da kusan sau biyu ta amfani da tutar "-f". An kuma ƙara fitar da jerin dokoki.
  • Ƙaƙƙarfan tsari don bincika ko an saita raƙuman tuta. Misali, don tabbatar da cewa ba'a saita ragowar matsayin snat da dnat ba, zaku iya saka: ... ct status ! snat,dnat don duba cewa an saita syn bit a cikin bitmask syn,ack: ... tcp flags syn / syn, ack don duba cewa fin da rst bits ba a saita su a cikin bitmask syn, ack, fin, na farko: ... tcp tutoci! = fin, rst / syn, ack, fin, na farko
  • Ba da izinin kalmar "hukunci" a cikin ma'anar saiti/taswira: ƙara taswira xm {nau'in iifname . ip protocol th dport: hukunci;}

source: budenet.ru

Sayi amintaccen masauki don shafuka tare da kariyar DDoS, sabar VPS VDS 🔥 Sayi ingantaccen masaukin yanar gizo tare da kariyar DDoS, sabar VPS VDS | ProHoster