ProHoster > Блог > labaran intanet > nftables fakiti tace sakin 1.0.6

nftables fakiti tace sakin 1.0.6

An buga sakin fakitin tacewa nftables 1.0.6, haɓaka hanyoyin tace fakiti don IPv4, IPv6, ARP da gadoji na cibiyar sadarwa (da nufin maye gurbin iptables, ip6table, arptables da ebtables). Kunshin nftables ya haɗa da abubuwan tace fakiti waɗanda ke gudana a cikin sararin mai amfani, yayin da aikin matakin kernel ke samar da tsarin nf_tables, wanda ya kasance wani ɓangare na kernel na Linux tun lokacin da aka saki 3.13. Matakan kernel yana ba da ƙa'idar ƙa'ida ta ƙa'ida mai zaman kanta wacce ke ba da ayyuka na asali don cire bayanai daga fakiti, aiwatar da ayyukan bayanai, da sarrafa kwarara.

Ana tattara ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙa'idodi zuwa cikin bytecode mai amfani-sarari, bayan haka ana loda wannan bytecode a cikin kernel ta amfani da mahallin Netlink kuma a aiwatar da shi a cikin kernel a cikin na'ura ta musamman mai kama da BPF (Berkeley Packet Filters). Wannan tsarin yana ba da damar rage girman lambar tacewa da ke gudana a matakin kernel kuma motsa duk ayyukan ƙa'idodi da dabaru na aiki tare da ka'idoji zuwa sararin mai amfani.

Babban canje-canje:

  • Ƙwararrun ƙa'idodin, wanda ake kira lokacin da zaɓin "-o/-optimize", yana da fakitin dokoki ta atomatik ta hanyar haɗa su da canza su zuwa taswira da saita jeri. Misali, dokoki # cat ruleset.nft tebur ip x {sarkar y {nau'in tace ƙugiya shigar da fifikon fifiko; faduwa siyasa; meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 yarda meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 yarda meta iifname eth1 ip saddr 1.1.1.2 ip daddr. .2.2.3.0 ip daddr 24-1 yarda meta iifname eth1.1.1.2 ip saddr 2.2.4.0 ip daddr 2.2.4.10 yarda }} bayan aiwatar da "nft -o -c -f ruleset.nft" za a canza zuwa kamar haka: dokoki. nft:2:1.1.1.3-2.2.2.5: meta iifname eth4 ip saddr 17 ip daddr 74 yarda da dokokin : 1: 1.1.1.1-2.2.2.3: meta iifname eth5 ip saddr 17 ip daddr 74/1 yarda dokokin yarda da dokokin.nft:1.1.1.2:2.2.2.4-6: meta iifname eth17 ip saddr 77 ip daddr 1 yarda cikin: iifname . ip sadar. ip daddr {eth1.1.1.2. 2.2.3.0. 24, da 7. 17. 83, da 1. 1.1.1.2. 2.2.4.0/2.2.4.10, da 8. 17. 74-2, da dai sauransu. 1.1.1.3. 2.2.2.5 } karba
  • Mai ingantawa kuma zai iya canza ka'idoji waɗanda tuni suka yi amfani da lissafin saiti masu sauƙi zuwa mafi ƙanƙanta tsari, misali ƙa'idodin: # cat ruleset.nft tebur ip tace { shigarwar sarkar {nau'in filtar shigar da fifikon ƙugiya; faduwa siyasa; iifname “lo” yarda ct jihar kafa, mai alaƙa karɓar sharhi “A cikin zirga-zirgar zirga-zirgar da muka samo asali, mun amince” iifname “enp0s31f6” ip saddr {209.115.181.102, 216.197.228.230} ip daddr 10.0.0.149 karba IIIHNED "ENP123S32768F65535" IP Saddr {0-31-6-64.59.144.17 za a tattara "nft -o : ruleset.nft: 64.59.150.133: 10.0.0.149-53: iifname "enp32768s65535f6" ip saddr {22, 149} ip daddr 0 udp wasanni 31 ka'idojin udp 6. : 209.115.181.102- 216.197.228.230: iifname "enp10.0.0.149s123f32768" ip saddr {65535, 7} ip daddr 22 udp wasanni 143 udp dport 0-31 karba cikin: iifname ip sadar. ip baba. wasanni udp. udp dport {enp6s64.59.144.17f64.59.150.133 . 10.0.0.149. 53. 32768. 65535-0, enp31s6f209.115.181.102. 10.0.0.149. 123. 32768. 65535-0, enp31s6f216.197.228.230. 10.0.0.149. 123. 32768. 65535-0, enp31s6f64.59.144.17. 10.0.0.149. 53. 32768. 65535-0 } karba
  • Matsalolin da aka warware tare da tsarar bytecode don haɗa tazara masu amfani da nau'ikan tare da odar byte daban-daban, kamar IPv4 (odar byte na hanyar sadarwa) da alamar meta (tsarin byte tsarin). tebur ip x {taswira w {type of ip saddr. meta mark: hukuncin tutoci tazara abubuwan ƙima = {127.0.0.1-127.0.0.4 . 0x123434-0xb00122: yarda, 192.168.0.10-192.168.1.20. 0x0000aa00-0x0000aaff: karba,}} sarkar k {nau'in tace ƙugiya shigar fifiko tace; faduwa siyasa; ip sadar. meta mark vmap @w }}
  • Ingantattun kwatancen ƙa'idodi masu wuya lokacin amfani da ɗanyen maganganu, misali: meta l4proto 91 @th,400,16 0x0 yarda
  • Matsaloli tare da kunna dokoki a tsaka-tsaki an warware su: saka doka xy tcp wasanni {3478-3497, 16384-16387} counter yarda
  • An inganta JSON API don haɗawa da goyan bayan maganganu a jerin saiti da taswira.
  • Extensions zuwa nftables python laburare yana ba da damar loda saitin ƙa'ida don aiki a yanayin ingantaccen aiki ("-c") da ƙara goyan baya don ma'anar ma'anar masu canji na waje.
  • Ana ba da izinin ƙara tsokaci a cikin abubuwan da aka saita.
  • Ƙimar Byte yana ba da damar tantance ƙimar sifili.

source: budenet.ru

Add a comment