ProHoster > Pūnaewele > nūhou pūnaewele > nftables packet filter hoʻokuʻu 1.0.6

nftables packet filter hoʻokuʻu 1.0.6

Ua paʻi ʻia ka hoʻokuʻu ʻia ʻana o ka packet filter nftables 1.0.6, e hoʻohui ana i nā kānana kānana packet no IPv4, IPv6, ARP a me nā alahaka pūnaewele (e manaʻo ʻia e pani i nā iptables, ip6table, arptables a me nā ebtables). Aia ka pūʻolo nftables i nā ʻāpana kānana packet e holo ana ma kahi o ka mea hoʻohana, aʻo ka hana kernel-level e hāʻawi ʻia e ka nf_tables subsystem, kahi ʻāpana o ka kernel Linux mai ka hoʻokuʻu ʻana iā 3.13. Hāʻawi ka pae kernel i kahi kikowaena kūʻokoʻa protocol generic e hāʻawi i nā hana maʻamau no ka unuhi ʻana i ka ʻikepili mai nā ʻeke, ka hana ʻana i nā hana ʻikepili, a me ka mana kahe.

Hoʻohui ʻia nā lula kānana a me nā mea hoʻohana kikoʻī protocol i ka bytecode ma kahi o ka mea hoʻohana, ma hope o ka hoʻouka ʻia ʻana o kēia bytecode i loko o ka kernel me ka hoʻohana ʻana i ka interface Netlink a hoʻokō ʻia i loko o ka kernel i kahi mīkini virtual kūikawā e hoʻomanaʻo ana i ka BPF (Berkeley Packet Filters). ʻO kēia ala e hiki ai iā ʻoe ke hōʻemi nui i ka nui o ke code kānana e holo ana ma ka pae kernel a hoʻoneʻe i nā hana āpau o nā lula parsing a me nā loiloi no ka hana ʻana me nā protocols i loko o kahi mea hoʻohana.

Nā hoʻololi nui:

  • ʻO ka lula optimizer, i kapa ʻia ke koho ʻia ka "-o/—optimize" koho, loaʻa i ka hōkeo ʻokoʻa o nā lula ma ka hoʻohui ʻana iā lākou a hoʻololi iā lākou i palapala ʻāina a hoʻonohonoho i nā papa inoa. No ka la'ana, lula # cat ruleset.nft table ip x { chain y { type filter hook input priority filter; hāʻule kulekele; meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept meta iifname eth1 ip saddr 1.1.1.2 ip daddr iifname 2.2.3.0. .24 ip daddr 1-1.1.1.2 accept meta iifname eth2.2.4.0 ip saddr 2.2.4.10 ip daddr 2 accept } } ma hope o ka hoʻokō ʻana i ka "nft -o -c -f ruleset.nft" e hoʻololi ʻia e like me kēia: nft:1.1.1.3:2.2.2.5-4: meta iifname eth17 ip saddr 74 ip daddr 1 accept ruleset.nft:1.1.1.1:2.2.2.3-5: meta iifname eth17 ip saddr 74 ip daddr 1 accept ruleset. : 1.1.1.2:2.2.2.4-6: meta iifname eth17 ip saddr 77 ip daddr 1/1.1.1.2 accept ruleset.nft:2.2.3.0:24-7: meta iifname eth17 ip saddr 83 ip daddr 1-1.1.1.2. accept ruleset.nft:2.2.4.0:2.2.4.10-8: meta iifname eth17 ip saddr 74 ip daddr 2 accept into: iifname . ip saddr. ip dadr { eth1.1.1.3 . 2.2.2.5. 1, eth1.1.1.1 . 2.2.2.3. 1, eth1.1.1.2 . 2.2.2.4. 1/1.1.1.2, eth2.2.3.0 . 24. 1-1.1.1.2, eth2.2.4.0. 2.2.4.10. 2 } ʻae
  • Hiki i ka optimizer ke hoʻololi i nā lula i hoʻohana mua i nā papa inoa hoʻonohonoho maʻalahi i kahi ʻano paʻakikī, no ka laʻana nā lula: # cat ruleset.nft table ip filter { chain input { type filter hook input priority filter; hāʻule kulekele; iifname "lo" e ʻae i ka mokuʻāina i hoʻokumu ʻia, pili e ʻae i ka ʻōlelo "Ma ke kaʻa mākou i hoʻomaka ai, hilinaʻi mākou" iifname "enp0s31f6" ip saddr {209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 ʻae 123 iifname "enp32768s65535f0" ip saddr { 31, 6 } ip daddr 64.59.144.17 udp sport 64.59.150.133 udp dport 10.0.0.149-53 apono } } ma hope o ka hoʻokō ʻana i nā lula : ruleset.nft:32768:65535-6: iifname "enp22s149f0" ip saddr { 31, 6 } ip daddr 209.115.181.102 udp sport 216.197.228.230:10.0.0.149 udp sport d123ft. - 32768: iifname "enp65535s7f22" ip saddr { 143, 0 } ip daddr 31 udp sport 6 udp dport 64.59.144.17-64.59.150.133 accept into: iifname . ip saddr. ip papa. udp haʻuki. udp dport { enp10.0.0.149s53f32768 . 65535. 0. 31. 6-209.115.181.102, enp10.0.0.149s123f32768. 65535. 0. 31. 6-216.197.228.230, enp10.0.0.149s123f32768. 65535. 0. 31. 6-64.59.144.17, enp10.0.0.149s53f32768. 65535. 0. 31. 6-64.59.150.133 } ʻae
  • Hoʻoholo ʻia ka pilikia me ka hana bytecode no ka hoʻohui ʻana i nā wā e hoʻohana ana i nā ʻano me nā ʻano byte ʻokoʻa, e like me IPv4 (kauoha byte pūnaewele) a me ka hōʻailona meta (kauoha byte pūnaewele). papa ip x { palapala w { typeof ip saddr . hōʻailona meta: nā hae hoʻoholo i nā mea kūʻai waena = {127.0.0.1-127.0.0.4. 0x123434-0xb00122 : ʻae, 192.168.0.10-192.168.1.20 . 0x0000aa00-0x0000aaff : ʻae, } } kaulahao k { ʻano kānana hook hookomo kānana manaʻo; hāʻule kulekele; ip saddr. hoailona meta vmap @w } }
  • Hoʻomaikaʻi maikaʻi ʻia ka hoʻohālikelike ʻana o nā kaʻa kaʻawale i ka wā e hoʻohana ai i nā ʻōlelo maka, no ka laʻana: meta l4proto 91 @th,400,16 0x0 ʻae
  • Ua hoʻoholo ʻia nā pilikia me ka ʻae ʻana i nā lula i nā manawa: hoʻokomo i ka rule xy tcp sport {3478-3497, 16384-16387 } counter accept
  • Ua hoʻomaikaʻi ʻia ka JSON API no ka hoʻokomo ʻana i ke kākoʻo no nā hōʻike ma ka papa inoa hoʻonohonoho a me ka palapala ʻāina.
  • ʻO ka hoʻonui ʻana i ka waihona nftables python e ʻae i ka hoʻouka ʻana i nā hoʻonohonoho lula no ka hana ʻana i ke ʻano hōʻoia ("-c") a hoʻohui i ke kākoʻo no ka wehewehe ʻana o waho o nā ʻano.
  • ʻAe ʻia ka hoʻohui ʻana i nā manaʻo i nā mea papa inoa hoʻonohonoho.
  • Hāʻawi ka Byte ratelimit e kuhikuhi i kahi waiwai ʻole.

Source: opennet.ru

Pākuʻi i ka manaʻo hoʻopuka