ProHoster > Pūnaewele > nūhou pūnaewele > nftables packet filter hoʻokuʻu 1.0.2

nftables packet filter hoʻokuʻu 1.0.2

Ua paʻi ʻia ka hoʻokuʻu ʻia ʻana o ka packet filter nftables 1.0.2, e hoʻohui ana i nā pākana kānana packet no IPv4, IPv6, ARP a me nā alahaka pūnaewele (e manaʻo ʻia e pani i nā iptables, ip6table, arptables a me nā ebtables). ʻO nā loli i koi ʻia no ka hoʻokuʻu ʻana o nftables 1.0.2 e hana i loko o ka Linux kernel 5.17-rc.

Aia ka pūʻolo nftables i nā ʻāpana kānana packet e holo ana ma kahi o ka mea hoʻohana, aʻo ka hana kernel-level e hāʻawi ʻia e ka nf_tables subsystem, kahi ʻāpana o ka kernel Linux mai ka hoʻokuʻu ʻana iā 3.13. Hāʻawi ka pae kernel i kahi kikowaena kūʻokoʻa protocol generic e hāʻawi i nā hana maʻamau no ka unuhi ʻana i ka ʻikepili mai nā ʻeke, ka hana ʻana i nā hana ʻikepili, a me ka mana kahe.

Hoʻohui ʻia nā lula kānana a me nā mea hoʻohana kikoʻī protocol i ka bytecode ma kahi o ka mea hoʻohana, ma hope o ka hoʻouka ʻia ʻana o kēia bytecode i loko o ka kernel me ka hoʻohana ʻana i ka interface Netlink a hoʻokō ʻia i loko o ka kernel i kahi mīkini virtual kūikawā e hoʻomanaʻo ana i ka BPF (Berkeley Packet Filters). ʻO kēia ala e hiki ai iā ʻoe ke hōʻemi nui i ka nui o ke code kānana e holo ana ma ka pae kernel a hoʻoneʻe i nā hana āpau o nā lula parsing a me nā loiloi no ka hana ʻana me nā protocols i loko o kahi mea hoʻohana.

Nā hana hou nui:

  • Ua hoʻohui ʻia kahi ʻano hoʻoponopono lula, hiki ke hoʻohana i ka koho "-o" ("--optimize") hou, hiki ke hoʻohui ʻia me ke koho "--check" e nānā a hoʻololi i nā loli i ka faila ruleset me ka ʻole o ka hoʻouka ʻana. . Hiki iā ʻoe ke hoʻohui i nā lula like, no ka laʻana, nā lula: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 accept ip saddr 1.1.1.1 .2.2.2.2 ʻae ip saddr 2.2.2.2 ip daddr 3.3.3.3 hāʻule

    e hoʻohui ʻia i meta iifname . ip saddr. ip dadr { eth1 . 1.1.1.1. 2.2.2.3, eth1 . 1.1.1.2. 2.2.2.5 } ʻae ip saddr . ip dadr vmap {1.1.1.1. 2.2.2.2 : ʻae, 2.2.2.2 . 3.3.3.3 : hāʻule }

    Laʻana hoʻohana: # nft -c -o -f ruleset.test Hoʻohui: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter accept ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter accept ruleset.nft:18:3-37: ip daddr 192.168.0.3 counter accept into: ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept

  • Hoʻokomo ka papa inoa i ka hiki ke kuhikuhi i nā koho ip a me tcp, a me nā ʻāpana sctp: hoʻonohonoho s5 {typeof ip option ra value elements = {1, 1024}} set s7 {typeof sctp chunk init num-inbound-streams elements = { 1, 4 } } kaulahao c5 { ip koho ra waiwai @s5 ae } kaulahao c7 { sctp chunk init num-inbound-streams @s7 accept }
  • Hoʻohui kākoʻo no nā koho TCP fastopen, md5sig a me mptcp.
  • Hoʻohui kākoʻo no ka hoʻohana ʻana i ka subtype mp-tcp i nā palapala palapala: koho tcp mptcp subtype 1
  • Ua hoʻomaikaʻi ʻia ke code kānana ʻaoʻao kernel.
  • Loaʻa iā Flowtable ke kākoʻo piha no ke ʻano JSON.
  • Ua hāʻawi ʻia ka hiki ke hoʻohana i ka hana "hōʻole" i nā hana hoʻohālikelike ʻana o ka frame Ethernet. ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 hoole

Source: opennet.ru

Pākuʻi i ka manaʻo hoʻopuka