An buga sakin fakitin tace nftables 1.0.0, haɓaka hanyoyin tace fakiti don IPv4, IPv6, ARP da gadoji na cibiyar sadarwa (da nufin maye gurbin iptables, ip6table, arptables da ebtables). Canje-canjen da ake buƙata don sakin nftables 1.0.0 don aiki an haɗa su a cikin Linux 5.13 kernel. Babban canji a cikin lambar sigar ba ta da alaƙa da kowane sauye-sauye na asali, amma kawai sakamakon ci gaba da ƙididdige ƙididdigewa a cikin ƙididdiga na ƙima (sakin da ya gabata shine 0.9.9).
Kunshin nftables ya haɗa da abubuwan tace fakiti waɗanda ke gudana a cikin sararin mai amfani, yayin da matakin kernel ke samar da tsarin nf_tables, wanda ya kasance wani ɓangare na kernel Linux tun lokacin da aka saki 3.13. A matakin kernel, kawai ƙa'idar tsari mai zaman kanta an samar da ita wacce ke ba da ayyuka na asali don fitar da bayanai daga fakiti, aiwatar da ayyuka akan bayanai, da sarrafa kwarara.
Ana tattara ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙa'idodi zuwa cikin bytecode mai amfani-sarari, bayan haka ana loda wannan bytecode a cikin kernel ta amfani da mahallin Netlink kuma a aiwatar da shi a cikin kernel a cikin na'ura ta musamman mai kama da BPF (Berkeley Packet Filters). Wannan tsarin yana ba da damar rage girman lambar tacewa da ke gudana a matakin kernel kuma motsa duk ayyukan ƙa'idodi da dabaru na aiki tare da ka'idoji zuwa sararin mai amfani.
Manyan sabbin abubuwa:
- An ƙara goyan bayan abin rufe fuska "*" zuwa saiti, wanda aka kunna don duk fakitin da ba su faɗi ƙarƙashin wasu abubuwan da aka ayyana a cikin saitin ba. tebur x {taswirar blocklist {nau'in ipv4_addr: hukunci tutoci tazara abubuwa = {192.168.0.0/16 : karba, 10.0.0.0/8: karba, * : drop }} sarkar y {nau'in tace ƙugiya prerouting fifiko 0; manufofin yarda; ip saddr vmap @blocklist }}
- Yana yiwuwa a ayyana masu canji daga layin umarni ta amfani da zaɓin "--define". # cat test.nft tebur netdev x {sarkar y {nau'in tace ƙugiya ingress na'urorin = $ dev fifiko 0; faduwa siyasa; } } # nft —define dev="{eth0, eth1}" -f test.nft
- A cikin jerin taswira, an ba da izinin yin amfani da madaidaicin maganganun (jihanci): tace inet (taswirar taswirar taswira {nau'in inet_service: fakitin juzu'i = {22 counter fakiti 0 bytes 0: tsalle ssh_input, * fakiti 0 bytes 0: drop}} sarkar ssh_input {} sarkar wan_input {tcp dport vmap @portmap} sarkar prerouting {nau'in tace ƙugiya prerouting fifiko raw; manufofin yarda; iif vmap {"lo": jump wan_input }}}
- An ƙara umarnin "list hooks" don nuna jerin masu kula da dangin fakiti: # nft list hooks ip device eth0 family ip { hook ingress { +0000000010 sarkar netdev xy [nf_tables] +0000000300 sarkar inet mw [nf_tables]} shigarwar ƙugiya {-0000000100 sarkar ip ab [nf_tables] +0000000300 sarkar inet mz [npu_tables] } ƙugiya postrouting { +0000000225 4 selinux_ipv0000000000_postroute}}
- Tubalan jerin gwano suna ba da damar haɗa jhash, symhash, da furci na numgen don rarraba fakiti zuwa layin masu amfani. … jerin gwano zuwa symhash mod 65536 … Tutocin layi na kewaye zuwa numgen inc mod 65536 … jerin gwano zuwa jhash oif . meta mark mod 32 "layin layi" kuma ana iya haɗa shi tare da jerin taswira don zaɓar jerin gwano a cikin sararin mai amfani bisa maɓallan sabani. ... tutocin layi suna kewaye taswirar oifname {"eth0" : 0, "ppp0" : 2, "eth1" : 2 }
- Yana yiwuwa a faɗaɗa masu canji waɗanda suka haɗa da jerin saiti zuwa taswira da yawa. ayyana musaya = {eth0, eth1} tebur ip x {sarkar y {nau'in fifikon shigarwar ƙugiya 0; manufofin yarda; iifname vmap {lo : karba, $musaloli: drop}}} # nft -f x.nft # nft jerin dokokin tebur ip x {sarkar y {nau'in fifikon shigarwar ƙugiya 0; manufofin yarda; iifname vmap {"lo": yarda, "eth0": drop, "eth1": drop }}}
- An ba da izinin haɗa vmaps (taswirar hukunci) a tsaka-tsaki: # nft ƙara dokar xy tcp dport . ip saddr vmap {1025-65535. 192.168.10.2: yarda
- Sauƙaƙe syntax don taswirar NAT. An ba da izinin tantance jeri na adireshi: ... snat to ip saddr taswirar {10.141.11.4 : 192.168.2.2-192.168.2.4 } ko adiresoshin IP da tashoshin jiragen ruwa: ... dnat zuwa taswirar ip saddr { 10.141.11.4: 192.168.2.3. . 80 } ko haɗin kewayon IP da tashoshin jiragen ruwa: ... dnat zuwa ip saddr . tcp dport taswirar {192.168.1.2. 80: 10.141.10.2-10.141.10.5. 8888-8999 }
source: budenet.ru