ProHoster > Pūnaewele > nūhou pūnaewele > nftables packet filter hoʻokuʻu 1.0.0

nftables packet filter hoʻokuʻu 1.0.0

Ua paʻi ʻia ka hoʻokuʻu ʻia ʻana o ka packet filter nftables 1.0.0, e hoʻohui ana i nā ʻāpana kānana packet no IPv4, IPv6, ARP a me nā alahaka pūnaewele (e manaʻo ʻia e pani i nā iptables, ip6table, arptables a me nā ebtables). Hoʻokomo ʻia nā loli i koi ʻia no ka hoʻokuʻu ʻana o nftables 1.0.0 i ka hana ma ka Linux 5.13 kernel. ʻAʻole pili ka hoʻololi koʻikoʻi o ka helu mana me nā hoʻololi kumu, akā he hopena wale nō ia o ka hoʻomau mau ʻana o ka helu ʻana i ka helu decimal (ʻo ka hoʻokuʻu mua ʻana he 0.9.9).

Aia ka pūʻolo nftables i nā ʻāpana kānana packet e holo ana ma kahi o ka mea hoʻohana, aʻo ka hana kernel-level e hāʻawi ʻia e ka nf_tables subsystem, kahi ʻāpana o ka kernel Linux mai ka hoʻokuʻu ʻana iā 3.13. Hāʻawi ka pae kernel i kahi kikowaena kūʻokoʻa protocol generic e hāʻawi i nā hana maʻamau no ka unuhi ʻana i ka ʻikepili mai nā ʻeke, ka hana ʻana i nā hana ʻikepili, a me ka mana kahe.

Hoʻohui ʻia nā lula kānana a me nā mea hoʻohana kikoʻī protocol i ka bytecode ma kahi o ka mea hoʻohana, ma hope o ka hoʻouka ʻia ʻana o kēia bytecode i loko o ka kernel me ka hoʻohana ʻana i ka interface Netlink a hoʻokō ʻia i loko o ka kernel i kahi mīkini virtual kūikawā e hoʻomanaʻo ana i ka BPF (Berkeley Packet Filters). ʻO kēia ala e hiki ai iā ʻoe ke hōʻemi nui i ka nui o ke code kānana e holo ana ma ka pae kernel a hoʻoneʻe i nā hana āpau o nā lula parsing a me nā loiloi no ka hana ʻana me nā protocols i loko o kahi mea hoʻohana.

Nā hana hou nui:

  • Ua hoʻohui ʻia ke kākoʻo no ka "*" mask element e hoʻonohonoho i nā papa inoa, kahi i hoʻoulu ʻia no nā pūʻolo i hāʻule ʻole ma lalo o nā mea ʻē aʻe i wehewehe ʻia i ka set. papa x {palapala palapala 'āina { type ipv4_addr : hoʻoholo hae hae kumu waena = { 192.168.0.0/16 : ʻae, 10.0.0.0/8 : ʻae, * : hāʻule } } kaulahao y { type filter hook prerouting priority 0; ʻae i nā kulekele; ip saddr vmap @blocklist } }
  • Hiki ke wehewehe i nā mea hoʻololi mai ka laina kauoha e hoʻohana ana i ke koho "--define". # cat test.nft table netdev x { kaulahao y { type filter hook ingress devices = $dev priority 0; hāʻule kulekele; } } # nft —define dev="{ eth0, eth1 }" -f test.nft
  • Ma nā papa inoa palapala, ʻae ʻia ka hoʻohana ʻana i nā ʻōlelo hoʻomau (stateful): kānana inet papa {map portmap {type inet_service: verdict counter element = {22 counter packets 0 bytes 0: jump ssh_input, * counter packets 0 bytes 0: drop } } kaulahao ssh_input { } kaulahao wan_input { tcp dport vmap @portmap } kaulahao prerouting { type filter hook prerouting priority raw; ʻae i nā kulekele; iif vmap { "lo" : lele wan_input } } }
  • Hoʻohui ʻia ke kauoha "list hooks" e hōʻike i ka papa inoa o nā mea lawelawe no ka ʻohana packet i hāʻawi ʻia: # nft list hooks ip device eth0 family ip { hook ingress { +0000000010 chain netdev xy [nf_tables] +0000000300 chain inet mw [nf_tables] } hook input { -0000000100 kaulahao ip ab [nf_tables] +0000000300 kaulahao inet mz [nf_tables] } hook i mua { -0000000225 selinux_ipv4_forward 0000000000 kaulahao ip ac [nf_tables] 0000000225 selinux_ipv4_forward } hoʻokuʻu ʻana i ka makau { +0000000225 4 selinux_ipvXNUMX_postroute } }
  • ʻAe nā poloka Queue e hui pū ʻia nā huaʻōlelo jhash, symhash, a me numgen e puʻunaue i nā ʻeke i nā queues ma kahi o ka mea hoʻohana. … queue to symhash mod 65536 … queue flags bypass to numgen inc mod 65536 … queue to jhash oif . Hiki ke hoʻohui pū ʻia ka meta mark mod 32 "queue" me nā papa inoa palapala no ke koho ʻana i kahi pila ma kahi o ka mea hoʻohana e pili ana i nā kī kīwī. ... kāʻalo nā hae pila i ka palapala ʻāina oifname { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }
  • Hiki ke hoʻonui i nā ʻano like ʻole me kahi papa inoa i hoʻonohonoho ʻia i loko o nā palapala ʻāina. e wehewehe i nā pilina = { eth0, eth1 } papa ip x { kaulahao y { ʻano kānana hoʻokomo hoʻokomo mua 0; ʻae i nā kulekele; iifname vmap { lo : 'ae, $interfaces : drop } } } # nft -f x.nft # nft list ruleset table ip x { chain y { type filter hook input priority 0; ʻae i nā kulekele; iifname vmap { "lo" : ʻae, "eth0" : hāʻule, "eth1": hāʻule } } }
  • Ua ʻae ʻia ka hoʻohui ʻana i nā vmaps (palapala hoʻoholo) i nā manawa: # nft add rule xy tcp dport . ip saddr vmap { 1025-65535 . 192.168.10.2 : ʻae }
  • ʻO ka syntax maʻalahi no nā palapala palapala NAT. ʻAe ʻia e kuhikuhi i nā pae helu wahi: ... snat to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } a i ʻole nā ​​helu IP kikoʻī a me nā awa: ... dnat to ip saddr map { 10.141.11.4 : 192.168.2.3 : . 80 } a i ʻole nā ​​hui pū ʻana o nā pae IP a me nā awa: ... dnat to ip saddr . tcp dport palapala 'āina { 192.168.1.2 . 80: 10.141.10.2-10.141.10.5. 8888-8999 }

Source: opennet.ru

Pākuʻi i ka manaʻo hoʻopuka