ProHoster > Блог > labaran intanet > nftables fakiti tace sakin 1.0.5

nftables fakiti tace sakin 1.0.5

An saki fakitin fakitin tacewa 1.0.5. Yana haɓaka musaya masu tace fakiti don IPv4, IPv6, ARP, da gadoji na cibiyar sadarwa (da nufin maye gurbin iptables, ip6table, arptables, da ebtables). Laburare libnftnl 1.2.3 mai rakiyar, wanda ke ba da ƙaramin matakin API don hulɗa tare da tsarin nf_tables, an sake shi lokaci guda.

Kunshin nftables ya ƙunshi abubuwan tace fakiti waɗanda ke aiki a cikin sararin mai amfani, yayin da aikin matakin kernel ke samar da shi ta hanyar tsarin nf_tables, wanda yake ɓangare na kernel. Linux Tun daga fitowar 3.13, hanyar sadarwa mai zaman kanta ta hanyar yarjejeniya ce kawai aka samar a matakin kernel, wanda ke ba da ayyuka na asali don cire bayanai daga fakiti, gudanar da ayyukan bayanai, da kuma sarrafa kwararar bayanai.

Tacewar tana da dokoki da kansu kuma ana tattara masu sarrafa takamaiman yarjejeniya zuwa bytecode a cikin sararin mai amfani, bayan haka ana ɗora wannan bytecode a cikin kernel ta amfani da hanyar haɗin Netlink kuma ana aiwatar da shi a cikin kernel a cikin wani tsari na musamman. injin kama-da-wane, wanda ke kama da BPF (Berkeley Packet Filters). Wannan hanyar tana ba da damar rage girman lambar tacewa da ke gudana a matakin kernel kuma tana motsa duk nazarin dokoki da dabaru na yarjejeniya zuwa sararin mai amfani.

Babban canje-canje:

  • A cikin ƙa'idodin ingantawa da ake kira lokacin tantance zaɓin "-o/--optimize", an warware matsaloli tare da haɗa dokoki, taswira- da lissafin saiti. # cat ruleset.nft tebur ip x {sarkar y {nau'in nat ƙugiya postrouting fifiko srcnat; faduwa siyasa; ip saddr 1.1.1.1 tcp dport 8000 snat zuwa 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat zuwa 5.5.5.5:90 1.1.1.1 tcp dport 8000 snat zuwa 4.4.4.4:80 lawset.nft:5:3-52: ip saddr 2.2.2.2 tcp dport 8001 snat zuwa 5.5.5.5:90 cikin: snat zuwa ip saddr . tcp dport taswirar {1.1.1.1. 8000: 4.4.4.4 . 80, 2.2.2.2 . 8001: 5.5.5.5 . 90 }
  • Lokacin haɗa abubuwan ethernet da vlan, an ayyana jerin saiti mai ƙarfi, wanda ya cika bisa ga sigogin fakiti. ƙara tebur netdev x ƙara sarkar netdev xy {nau'in tace ƙugiya ingress na'urar enp0s25 fifiko 0; } ƙara saita netdev x macset {nau'in ether daddr. ina id; Tutoci masu ƙarfi, ƙarewar lokaci; } ƙara mulkin netdev xy sabuntawa @macset {ether daddr. vlan id timeout 60s} ƙara mulki netdev xy ether saddr. vlan id {0a:0b:0c:0d:0e:0f. 42, 0a:0b:0c:0d:0e:0f . 4095 } counter karba
  • An inganta nunin dokoki tare da jerin taswira masu ƙunshe da abin rufe fuska a cikin sunaye masu dubawa. tebur inet tace {sarkar INPUT {ifname vmap {"eth0": tsalle input_lan, "wg*": tsalle input_vpn } } sarkar shigar_lan {} sarkar shigar_vpn {}}
  • Kafaffen sauye-sauye na koma baya wanda ya haifar da ɓarna na daidaitattun ƙamus.
  • Matsalolin da aka warware tare da jinkirin aiki da haɗuwa ta atomatik na manyan lissafin tare da abubuwan da ke bayyana ma'auni.
  • Kafaffen ɓarna lokacin ƙara abubuwa zuwa jerin saiti mara inganci.

source: budenet.ru

Sayi amintaccen masauki don shafuka tare da kariyar DDoS, sabar VPS VDS 🔥 Sayi ingantaccen masaukin yanar gizo tare da kariyar DDoS, sabar VPS VDS | ProHoster