ProHoster > Блог > labaran intanet > nftables fakiti tace sakin 1.0.2

nftables fakiti tace sakin 1.0.2

An fitar da nftables 1.0.2, tsarin tace fakiti wanda ke haɗa hanyoyin tace fakiti don IPv4, IPv6, ARP, da gadojin sadarwa (wanda aka yi niyya a matsayin madadin iptables, ip6table, arptables, da ebtables). An haɗa canje-canjen da ake buƙata don nftables 1.0.2 cikin kernel. Linux 5.17-rc.

Kunshin nftables ya ƙunshi abubuwan tace fakiti waɗanda ke aiki a cikin sararin mai amfani, yayin da aikin matakin kernel ke samar da shi ta hanyar tsarin nf_tables, wanda yake ɓangare na kernel. Linux Tun daga fitowar 3.13, hanyar sadarwa mai zaman kanta ta hanyar yarjejeniya ce kawai aka samar a matakin kernel, wanda ke ba da ayyuka na asali don cire bayanai daga fakiti, gudanar da ayyukan bayanai, da kuma sarrafa kwararar bayanai.

Tacewar tana da dokoki da kansu kuma ana tattara masu sarrafa takamaiman yarjejeniya zuwa bytecode a cikin sararin mai amfani, bayan haka ana ɗora wannan bytecode a cikin kernel ta amfani da hanyar haɗin Netlink kuma ana aiwatar da shi a cikin kernel a cikin wani tsari na musamman. injin kama-da-wane, wanda ke kama da BPF (Berkeley Packet Filters). Wannan hanyar tana ba da damar rage girman lambar tacewa da ke gudana a matakin kernel kuma tana motsa duk nazarin dokoki da dabaru na yarjejeniya zuwa sararin mai amfani.

Manyan sabbin abubuwa:

  • An ƙara yanayin haɓaka ƙa'idodi, an kunna su tare da sabon zaɓi na "-o" ("--optimize"), wanda za'a iya haɗa shi tare da zaɓin "--check" don dubawa da inganta canje-canje ga fayil ɗin ƙa'idodin ba tare da ainihin loda shi ba. Ingantawa yana ba ku damar haɗa ƙa'idodi iri ɗaya, misali, ƙa'idodin: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 yarda da meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 yarda ip saddr 1.1.1.1 .2.2.2.2 yarda da ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop

    za a haɗa su zuwa meta iifname . ip sadar. ip daddr {eth1. 1.1.1.1. 2.2.2.3, da 1. 1.1.1.2. 2.2.2.5} Karɓar ip saddr. ip daddr vmap {1.1.1.1. 2.2.2.2: yarda, 2.2.2.2 . 3.3.3.3: sauka

    Misalin amfani: # nft -c -o -f ruleset.test Haɗin: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter yarda da dokokin.nft:17:3-37: ip daddr 192.168.0.2 counter karba lawset.nft:18:3-37: ip daddr 192.168.0.3 counter yarda cikin: ip daddr {192.168.0.1, 192.168.0.2, 192.168.0.3} fakiti na 0 bytes 0 karba

  • Lissafin saiti suna aiwatar da ikon tantance ip- da tcp-zaɓuɓɓuka, da kuma sctp chunks: saita s5 {typeof ip option ra value elements = {1, 1024}} saita s7 {nau'in sctp chunk init num-inbound-streams element = {1}
  • Ƙara tallafi don fastopen, md5sig da mptcp zaɓuɓɓukan TCP.
  • Ƙara goyon baya don amfani da nau'in mp-tcp a cikin taswira: tcp zaɓi mptcp subtype 1
  • Ingantacciyar lambar tacewa tana gudana a gefen kwaya.
  • Flowtable yana da cikakken goyon baya ga tsarin JSON.
  • Bayar da ikon yin amfani da aikin "ƙi" a cikin ayyukan daidaita firam ɗin Ethernet. ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 kin

source: budenet.ru

Sayi amintaccen masauki don shafuka tare da kariyar DDoS, sabar VPS VDS 🔥 Sayi ingantaccen masaukin yanar gizo tare da kariyar DDoS, sabar VPS VDS | ProHoster