ProHoster > Pūnaewele > nūhou pūnaewele > nftables packet filter hoʻokuʻu 1.0.6

nftables packet filter hoʻokuʻu 1.0.6

Ua hoʻokuʻu ʻia ka kānana packet nftables 1.0.6. Hoʻohui ia i nā interfaces kānana packet no IPv4, IPv6, ARP, a me nā alahaka pūnaewele (i manaʻo ʻia e pani i nā iptables, ip6table, arptables, a me ebtables). Loaʻa i ka pūʻolo nftables nā ʻāpana kānana packet space-mea hoʻohana, ʻoiai ua hāʻawi ʻia ka hana pae kernel e ka nf_tables subsystem, ʻo ia kekahi ʻāpana o ka kernel. Linux Mai ka hoʻokuʻu ʻana o 3.13, ua hāʻawi wale ʻia kahi interface protocol-independent generic ma ka pae kernel, e hāʻawi ana i nā hana kumu no ka unuhi ʻana i ka ʻikepili mai nā packets, ka hana ʻana i nā hana ʻikepili, a me ke kaohi ʻana i ke kahe.

Hoʻohui ʻia nā lula kānana ponoʻī a me nā mea lawelawe kikoʻī protocol i loko o ka bytecode ma ka wahi mea hoʻohana, ma hope o ka hoʻouka ʻia ʻana o kēia bytecode i loko o ka kernel me ka hoʻohana ʻana i ka interface Netlink a hoʻokō ʻia i loko o ka kernel ma kahi kūikawā. mīkini uila, e hoʻomanaʻo ana iā BPF (Berkeley Packet Filters). ʻAe kēia ʻano hana i ka hōʻemi nui ʻana i ka nui o ke code kānana e holo ana ma ka pae kernel a hoʻoneʻe i nā loiloi lula āpau a me ka logic protocol i ka wahi mea hoʻohana.

Nā hoʻololi nui:

  • ʻO ka lula optimizer, i kapa ʻia ke koho ʻia ka "-o/—optimize" koho, loaʻa i ka hōkeo ʻokoʻa o nā lula ma ka hoʻohui ʻana iā lākou a hoʻololi iā lākou i palapala ʻāina a hoʻonohonoho i nā papa inoa. No ka la'ana, lula # cat ruleset.nft table ip x { chain y { type filter hook input priority filter; hāʻule kulekele; meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept meta iifname eth1 ip saddr 1.1.1.2 ip daddr iifname 2.2.3.0. .24 ip daddr 1-1.1.1.2 accept meta iifname eth2.2.4.0 ip saddr 2.2.4.10 ip daddr 2 accept } } ma hope o ka hoʻokō ʻana i ka "nft -o -c -f ruleset.nft" e hoʻololi ʻia e like me kēia: nft:1.1.1.3:2.2.2.5-4: meta iifname eth17 ip saddr 74 ip daddr 1 accept ruleset.nft:1.1.1.1:2.2.2.3-5: meta iifname eth17 ip saddr 74 ip daddr 1 accept ruleset. : 1.1.1.2:2.2.2.4-6: meta iifname eth17 ip saddr 77 ip daddr 1/1.1.1.2 accept ruleset.nft:2.2.3.0:24-7: meta iifname eth17 ip saddr 83 ip daddr 1-1.1.1.2. accept ruleset.nft:2.2.4.0:2.2.4.10-8: meta iifname eth17 ip saddr 74 ip daddr 2 accept into: iifname . ip saddr. ip dadr { eth1.1.1.3 . 2.2.2.5. 1, eth1.1.1.1 . 2.2.2.3. 1, eth1.1.1.2 . 2.2.2.4. 1/1.1.1.2, eth2.2.3.0 . 24. 1-1.1.1.2, eth2.2.4.0. 2.2.4.10. 2 } ʻae
  • Hiki i ka optimizer ke hoʻololi i nā lula i hoʻohana mua i nā papa inoa hoʻonohonoho maʻalahi i kahi ʻano paʻakikī, no ka laʻana nā lula: # cat ruleset.nft table ip filter { chain input { type filter hook input priority filter; hāʻule kulekele; iifname "lo" e ʻae i ka mokuʻāina i hoʻokumu ʻia, pili e ʻae i ka ʻōlelo "Ma ke kaʻa mākou i hoʻomaka ai, hilinaʻi mākou" iifname "enp0s31f6" ip saddr {209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 ʻae 123 iifname "enp32768s65535f0" ip saddr { 31, 6 } ip daddr 64.59.144.17 udp sport 64.59.150.133 udp dport 10.0.0.149-53 apono } } ma hope o ka hoʻokō ʻana i nā lula : ruleset.nft:32768:65535-6: iifname "enp22s149f0" ip saddr { 31, 6 } ip daddr 209.115.181.102 udp sport 216.197.228.230:10.0.0.149 udp sport d123ft. - 32768: iifname "enp65535s7f22" ip saddr { 143, 0 } ip daddr 31 udp sport 6 udp dport 64.59.144.17-64.59.150.133 accept into: iifname . ip saddr. ip papa. udp haʻuki. udp dport { enp10.0.0.149s53f32768 . 65535. 0. 31. 6-209.115.181.102, enp10.0.0.149s123f32768. 65535. 0. 31. 6-216.197.228.230, enp10.0.0.149s123f32768. 65535. 0. 31. 6-64.59.144.17, enp10.0.0.149s53f32768. 65535. 0. 31. 6-64.59.150.133 } ʻae
  • Hoʻoholo ʻia ka pilikia me ka hana bytecode no ka hoʻohui ʻana i nā wā e hoʻohana ana i nā ʻano me nā ʻano byte ʻokoʻa, e like me IPv4 (kauoha byte pūnaewele) a me ka hōʻailona meta (kauoha byte pūnaewele). papa ip x { palapala w { typeof ip saddr . hōʻailona meta: nā hae hoʻoholo i nā mea kūʻai waena = {127.0.0.1-127.0.0.4. 0x123434-0xb00122 : ʻae, 192.168.0.10-192.168.1.20 . 0x0000aa00-0x0000aaff : ʻae, } } kaulahao k { ʻano kānana hook hookomo kānana manaʻo; hāʻule kulekele; ip saddr. hoailona meta vmap @w } }
  • Hoʻomaikaʻi maikaʻi ʻia ka hoʻohālikelike ʻana o nā kaʻa kaʻawale i ka wā e hoʻohana ai i nā ʻōlelo maka, no ka laʻana: meta l4proto 91 @th,400,16 0x0 ʻae
  • Ua hoʻoholo ʻia nā pilikia me ka ʻae ʻana i nā lula i nā manawa: hoʻokomo i ka rule xy tcp sport {3478-3497, 16384-16387 } counter accept
  • Ua hoʻomaikaʻi ʻia ka JSON API no ka hoʻokomo ʻana i ke kākoʻo no nā hōʻike ma ka papa inoa hoʻonohonoho a me ka palapala ʻāina.
  • ʻO ka hoʻonui ʻana i ka waihona nftables python e ʻae i ka hoʻouka ʻana i nā hoʻonohonoho lula no ka hana ʻana i ke ʻano hōʻoia ("-c") a hoʻohui i ke kākoʻo no ka wehewehe ʻana o waho o nā ʻano.
  • ʻAe ʻia ka hoʻohui ʻana i nā manaʻo i nā mea papa inoa hoʻonohonoho.
  • Hāʻawi ka Byte ratelimit e kuhikuhi i kahi waiwai ʻole.

Source: opennet.ru

E kūʻai i ka hoʻokipa hilinaʻi no nā pūnaewele me ka pale DDoS, nā kikowaena VPS VDS 🔥 E kūʻai i ka hoʻokipa pūnaewele hilinaʻi me ka pale DDoS, nā kikowaena VPS VDS | ProHoster