An buga fitar da fakitin tace nftables 0.9.9, haɓaka hanyoyin tace fakiti don IPv4, IPv6, ARP da gadoji na cibiyar sadarwa (da nufin maye gurbin iptables, ip6table, arptables da ebtables). A lokaci guda, an buga sakin ɗakin ɗakin karatu na abokin libnftnl 1.2.0, yana ba da ƙaramin matakin API don hulɗa tare da tsarin nf_tables. Canje-canjen da ake buƙata don sakin nftables 0.9.9 don aiki an haɗa su a cikin Linux kernel 5.13-rc1.
Kunshin nftables ya haɗa da abubuwan tace fakiti waɗanda ke gudana a cikin sararin mai amfani, yayin da matakin kernel ke samar da tsarin nf_tables, wanda ya kasance wani ɓangare na kernel Linux tun lokacin da aka saki 3.13. A matakin kernel, kawai ƙa'idar tsari mai zaman kanta an samar da ita wacce ke ba da ayyuka na asali don fitar da bayanai daga fakiti, aiwatar da ayyuka akan bayanai, da sarrafa kwarara.
Ana tattara ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙa'idodi zuwa cikin bytecode mai amfani-sarari, bayan haka ana loda wannan bytecode a cikin kernel ta amfani da mahallin Netlink kuma a aiwatar da shi a cikin kernel a cikin na'ura ta musamman mai kama da BPF (Berkeley Packet Filters). Wannan tsarin yana ba da damar rage girman lambar tacewa da ke gudana a matakin kernel kuma motsa duk ayyukan ƙa'idodi da dabaru na aiki tare da ka'idoji zuwa sararin mai amfani.
Manyan sabbin abubuwa:
- An aiwatar da ikon matsar da aiki mai gudana zuwa gefen adaftar hanyar sadarwa, an kunna ta ta amfani da tutar 'offload'. Flowtable wata hanya ce ta inganta hanyar jujjuyawar fakiti, inda ake amfani da cikakkiyar saƙon duk sarƙoƙi na sarrafa ƙa'ida zuwa fakiti na farko kawai, kuma duk sauran fakitin da ke cikin kwarara ana tura su kai tsaye. tebur ip duniya {flowtable f {ƙugiya ingress fifiko tace + 1 na'urorin = {lan3, lan0, wan} tutoci offload } sarkar gaba {nau'in tace ƙugiya gaba fifiko tace; manufofin yarda; ip protocol {tcp, udp} flow add @f} sarkar post {nau'in nat ƙugiya postrouting fifiko tace; manufofin yarda; oifname "wan" masquerade } }
- Ƙara goyon baya don haɗa tutar mai shi zuwa tebur don tabbatar da keɓantaccen amfani da tebur ta tsari. Lokacin da tsari ya ƙare, teburin da ke da alaƙa da shi za a share ta atomatik. Ana nuna bayanai game da tsarin a cikin jujjuya dokokin ta hanyar yin sharhi: tebur ip x {# progname nft flags mai sarkar y {nau'in tace ƙugiya shigar da fifikon fifiko; manufofin yarda; fakiti 1 bytes 309} }
- Ƙarin tallafi don ƙayyadaddun IEEE 802.1ad (VLAN stacking ko QinQ), wanda ke bayyana hanya don musanya alamun VLAN da yawa a cikin firam ɗin Ethernet guda ɗaya. Misali, don duba nau'in firam ɗin Ethernet na waje 8021ad da vlan id=342, zaku iya amfani da ginin ... ether type 802.1ad vlan id 342 don bincika nau'in firam ɗin Ethernet na waje 8021ad/vlan id=1, an saka 802.1 q/vlan id=2 da ƙarin fakitin IP: ... ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan nau'in ip counter
- Ƙarin tallafi don sarrafa albarkatu ta amfani da haɗaɗɗiyar rukunin ƙungiyoyin v2. Babban bambanci tsakanin ƙungiyoyin v2 da v1 shine amfani da tsarin ƙungiyoyin gama gari don kowane nau'in albarkatu, maimakon matsayi daban-daban don rarraba albarkatun CPU, don daidaita yawan ƙwaƙwalwar ajiya, da na I/O. Misali, don bincika ko kakan soket a matakin farko na cgroupv2 ya dace da mashin "system.slice", zaka iya amfani da ginin: ... soket cgroupv2 matakin 1 "system.slice"
- Ƙara ikon bincika abubuwan fakiti na SCTP (aikin da ake buƙata don wannan zai bayyana a cikin Linux kernel 5.14). Misali, don bincika ko fakiti ya ƙunshi guntu mai nau'in 'data' da filin 'nau'in': ... sctp chunk data wanzu ... sctp chunk data type 0
- An haɓaka aiwatar da aikin lodin ƙa'idar da kusan sau biyu ta amfani da tutar "-f". An kuma ƙara fitar da jerin dokoki.
- Ƙaƙƙarfan tsari don bincika ko an saita raƙuman tuta. Misali, don tabbatar da cewa ba'a saita ragowar matsayin snat da dnat ba, zaku iya saka: ... ct status ! snat,dnat don duba cewa an saita syn bit a cikin bitmask syn,ack: ... tcp flags syn / syn, ack don duba cewa fin da rst bits ba a saita su a cikin bitmask syn, ack, fin, na farko: ... tcp tutoci! = fin, rst / syn, ack, fin, na farko
- Ba da izinin kalmar "hukunci" a cikin ma'anar saiti/taswira: ƙara taswira xm {nau'in iifname . ip protocol th dport: hukunci;}
source: budenet.ru