ProHoster > Блог > labaran intanet > nftables fakiti tace sakin 1.0.2

nftables fakiti tace sakin 1.0.2

An buga sakin fakitin fakitin nftables 1.0.2, haɓaka hanyoyin tace fakiti don IPv4, IPv6, ARP da gadoji na cibiyar sadarwa (da nufin maye gurbin iptables, ip6table, arptables da ebtables). Canje-canjen da ake buƙata don sakin nftables 1.0.2 don aiki an haɗa su a cikin Linux kernel 5.17-rc.

Kunshin nftables ya haɗa da abubuwan tace fakiti waɗanda ke gudana a cikin sararin mai amfani, yayin da matakin kernel ke samar da tsarin nf_tables, wanda ya kasance wani ɓangare na kernel Linux tun lokacin da aka saki 3.13. A matakin kernel, kawai ƙa'idar tsari mai zaman kanta an samar da ita wacce ke ba da ayyuka na asali don fitar da bayanai daga fakiti, aiwatar da ayyuka akan bayanai, da sarrafa kwarara.

Ana tattara ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙa'idodi zuwa cikin bytecode mai amfani-sarari, bayan haka ana loda wannan bytecode a cikin kernel ta amfani da mahallin Netlink kuma a aiwatar da shi a cikin kernel a cikin na'ura ta musamman mai kama da BPF (Berkeley Packet Filters). Wannan tsarin yana ba da damar rage girman lambar tacewa da ke gudana a matakin kernel kuma motsa duk ayyukan ƙa'idodi da dabaru na aiki tare da ka'idoji zuwa sararin mai amfani.

Manyan sabbin abubuwa:

  • An ƙara yanayin haɓaka ƙa'idodi, an kunna su tare da sabon zaɓi na "-o" ("--optimize"), wanda za'a iya haɗa shi tare da zaɓin "--check" don dubawa da inganta canje-canje ga fayil ɗin ƙa'idodin ba tare da ainihin loda shi ba. Ingantawa yana ba ku damar haɗa ƙa'idodi iri ɗaya, misali, ƙa'idodin: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 yarda da meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 yarda ip saddr 1.1.1.1 .2.2.2.2 yarda da ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop

    za a haɗa su zuwa meta iifname . ip sadar. ip daddr {eth1. 1.1.1.1. 2.2.2.3, da 1. 1.1.1.2. 2.2.2.5} Karɓar ip saddr. ip daddr vmap {1.1.1.1. 2.2.2.2: yarda, 2.2.2.2 . 3.3.3.3: sauka

    Misalin amfani: # nft -c -o -f ruleset.test Haɗin: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter yarda da dokokin.nft:17:3-37: ip daddr 192.168.0.2 counter karba lawset.nft:18:3-37: ip daddr 192.168.0.3 counter yarda cikin: ip daddr {192.168.0.1, 192.168.0.2, 192.168.0.3} fakiti na 0 bytes 0 karba

  • Lissafin saiti suna aiwatar da ikon tantance ip- da tcp-zaɓuɓɓuka, da kuma sctp chunks: saita s5 {typeof ip option ra value elements = {1, 1024}} saita s7 {nau'in sctp chunk init num-inbound-streams element = {1}
  • Ƙara tallafi don fastopen, md5sig da mptcp zaɓuɓɓukan TCP.
  • Ƙara goyon baya don amfani da nau'in mp-tcp a cikin taswira: tcp zaɓi mptcp subtype 1
  • Ingantacciyar lambar tacewa tana gudana a gefen kwaya.
  • Flowtable yana da cikakken goyon baya ga tsarin JSON.
  • Bayar da ikon yin amfani da aikin "ƙi" a cikin ayyukan daidaita firam ɗin Ethernet. ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 kin

source: budenet.ru

Add a comment