An buga sakin fakitin tacewa nftables 1.0.7, haɓaka hanyoyin tace fakiti don IPv4, IPv6, ARP da gadoji na cibiyar sadarwa (da nufin maye gurbin iptables, ip6table, arptables da ebtables). Kunshin nftables ya haɗa da abubuwan tace fakiti waɗanda ke gudana a cikin sararin mai amfani, yayin da aikin matakin kernel ke samar da tsarin nf_tables, wanda ya kasance wani ɓangare na kernel na Linux tun lokacin da aka saki 3.13. Matakan kernel yana ba da ƙa'idar ƙa'ida ta ƙa'ida mai zaman kanta wacce ke ba da ayyuka na asali don cire bayanai daga fakiti, aiwatar da ayyukan bayanai, da sarrafa kwarara.
Ana tattara ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙa'idodi zuwa cikin bytecode mai amfani-sarari, bayan haka ana loda wannan bytecode a cikin kernel ta amfani da mahallin Netlink kuma a aiwatar da shi a cikin kernel a cikin na'ura ta musamman mai kama da BPF (Berkeley Packet Filters). Wannan tsarin yana ba da damar rage girman lambar tacewa da ke gudana a matakin kernel kuma motsa duk ayyukan ƙa'idodi da dabaru na aiki tare da ka'idoji zuwa sararin mai amfani.
Babban canje-canje:
- Don tsarin da ke gudana Linux kernel 6.2+, an ƙara tallafi don vxlan, geneve, gre, da gretap protocol taswira, yana barin kalmomi masu sauƙi don duba masu kai a cikin fakitin da aka rufe. Misali, don duba adireshin IP a cikin taken fakitin gida daga VxLAN, yanzu zaku iya amfani da ƙa'idodin (ba tare da buƙatar fara cire rubutun VxLAN ba kuma ku ɗaure tacewa zuwa ƙirar vxlan0): ... udp dport 4789 vxlan ip protocol udp ... udp dport 4789 vxlan ip saddr 1.2.3.0. 24/4789 ... udp dport 1.2.3.4 vxlan ip saddr . vxlan ip daddr {4.3.2.1. XNUMX }
- Taimako don haɗa ragowar ta atomatik bayan an aiwatar da ɓarna na ɓangaren saiti, wanda ke ba ku damar share wani yanki ko ɓangaren kewayo daga kewayon da ke akwai (a baya, kewayon za a iya share shi gaba ɗaya). Misali, bayan cire kashi 25 daga jeri na 24-30 da 40-50, lissafin zai kasance 24, 26-30 da 40-50. Za a ba da gyare-gyaren da ake buƙata don yin aiki da atomatik a cikin sakewar tabbatarwa na tsayayyen rassan kernel 5.10+. # nft list ruleset table ip x {saitin y {nau'in tcp dport tutoci tazara abubuwan haɗin kai ta atomatik = {24-30, 40-50} } y {nau'in tcp dport tutocin tazara abubuwan haɗin kai ta atomatik = {25, 24-26, 30-40}}}
- Yana ba da damar amfani da lambobi da jeri lokacin yin taswirar adireshin fassarar (NAT). tebur ip nat { sarkar prerouting {nau'in nat ƙugiya prerouting fifiko dstnat; manufofin yarda; dnat to ip baba. tcp dport taswirar {10.1.1.136. 80: 1.1.2.69. 1024, 10.1.1.10-10.1.1.20. 8888-8889: 1.1.2.69. 2048-2049 } nace } }
- Ƙara goyon baya don kalmar "ƙarshe", wanda ke ba ku damar gano lokacin amfani na ƙarshe na ɓangaren doka ko saiti. Ana tallafawa fasalin farawa da Linux kernel 5.14. tebur ip x {saitin y {type of ip daddr. tcp dport girman 65535 tutoci masu ƙarfi, lokacin ƙarewa na ƙarshe 1h } sarkar z {nau'in tace ƙugiya fitarwa fifiko tace; manufofin yarda; sabunta @y {ip daddr. tcp dport }}} # lissafin nft saita ip xy tebur ip x {saitin y {nau'in ip daddr. tcp dport girman 65535 tutoci masu ƙarfi, lokacin ƙarewa na ƙarshe abubuwan 1h = {172.217.17.14 . 443 na ƙarshe da aka yi amfani da shi 1s591ms lokacin ƙarewa 1h ya ƙare 59m58s409ms, 172.67.69.19 . 443 na ƙarshe da aka yi amfani da shi 4s636ms lokacin ƙarewa 1h ya ƙare 59m55s364ms, 142.250.201.72 . 443 na ƙarshe da aka yi amfani da shi 4s748ms lokacin ƙarewa 1h ya ƙare 59m55s252ms, 172.67.70.134 . 443 na ƙarshe da aka yi amfani da shi 4s688ms lokacin ƙarewa 1h ya ƙare 59m55s312ms, 35.241.9.150 . 443 na ƙarshe da aka yi amfani da shi 5s204ms lokacin ƙarewa 1h ya ƙare 59m54s796ms, 138.201.122.174 . 443 na ƙarshe da aka yi amfani da shi 4s537ms lokacin ƙarewa 1h ya ƙare 59m55s463ms, 34.160.144.191 . 443 na ƙarshe da aka yi amfani da shi 5s205ms lokacin ƙarewa 1h ya ƙare 59m54s795ms, 130.211.23.194 . 443 na ƙarshe da aka yi amfani da shi 4s436ms lokacin ƙarewa 1h ya ƙare 59m55s564ms }}}
- An ƙara ikon ayyana ƙididdiga a cikin jerin abubuwan da aka saita. Misali, don tantance adadin zirga-zirga na kowane adireshin IP da aka yi niyya, zaku iya ƙayyade: tebur netdev x {set y {typeof ip daddr size 65535 quota over 10000 mbytes} sarkar y {nau'in filter hook egress na'urar "eth0" fifiko tace; manufofin yarda; ip daddr @y drop }} # nft ƙara element inet xy {8.8.8.8} # ping -c 2 8.8.8.8 # nft list ruleset table netdev x {saitin y {nau'in ipv4_addr girman 65535 kewayon sama da 10000 mbytes abubuwa.8.8.8.8. 10000 adadin sama da 196 mbytes da aka yi amfani da 0 bytes}} sarkar y {nau'in tace ƙugiya egress na'urar "ethXNUMX" fifiko tace; manufofin yarda; ip daddr @y drop }}
- An ba da izinin amfani da madaukai a cikin jerin abubuwan da aka saita. Misali, lokacin amfani da adireshin inda aka nufa da ID na VLAN azaman maɓallin jeri, zaku iya saka lambar VLAN kai tsaye (daddr. 123): table netdev t {set s {typeof ether saddr . vlan id girman 2048 tutoci masu ƙarfi, lokacin ƙarewa 1m} sarkar c {nau'in tace ƙugiya ingress na'urar eth0 fifiko 0; manufofin yarda; nau'in ether!= 8021q sabuntawa @s {ether daddr. 123} ma'auni }}
- An ƙara sabon umarnin "hallaka" don share abubuwa ba tare da wani sharadi ba (ba kamar umarnin sharewa ba, baya haifar da ENOENT yayin ƙoƙarin share abin da ya ɓace). Yana buƙatar aƙalla Linux kernel 6.3-rc don aiki. lalata tebur ip tace
source: budenet.ru