ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > nftables pob ntawv lim 0.9.4 tso tawm

nftables pob ntawv lim 0.9.4 tso tawm

luam tawm pob ntawv lim tso tawm nftables 0.9.4, txhim kho raws li kev hloov pauv rau iptables, ip6table, arptables thiab ebtables los ntawm kev sib koom ua ke pob ntawv lim interfaces rau IPv4, IPv6, ARP thiab network txuas hniav. Cov pob nftables suav nrog cov pob ntawv lim cov khoom siv uas khiav hauv cov neeg siv qhov chaw, thaum lub kernel-theem ua haujlwm yog muab los ntawm nf_tables subsystem, uas yog ib feem ntawm Linux ntsiav txij li tso tawm 3.13. Cov kev hloov pauv tsim nyog rau nftables 0.9.4 tso tawm mus ua haujlwm yog suav nrog hauv cov ceg ntoo yav tom ntej Linux 5.6.

Kernel qib tsuas yog muaj cov txheej txheem dav dav-kev ywj pheej interface uas muab cov haujlwm yooj yim rau kev rho tawm cov ntaub ntawv los ntawm pob ntawv, ua cov ntaub ntawv ua haujlwm, thiab tswj kev ntws. Cov kev cai lim dej thiab cov txheej txheem tshwj xeeb yog muab tso ua ke rau hauv bytecode hauv cov neeg siv qhov chaw, tom qab ntawd cov bytecode no tau thauj mus rau hauv cov ntsiav siv Netlink interface thiab raug tua hauv cov ntsiav hauv lub tshuab virtual tshwj xeeb nco txog BPF (Berkeley Packet Filters). Txoj hauv kev no tso cai rau koj kom txo qis qhov loj ntawm cov lim dej ua haujlwm ntawm qib ntsiav thiab txav tag nrho cov haujlwm ntawm parsing cov cai thiab cov laj thawj rau kev ua haujlwm nrog cov txheej txheem rau hauv cov neeg siv qhov chaw.

Main innovations:

  • Kev them nyiaj yug rau ntau yam hauv kev sib txuas (concatenation, tej pob khoom ntawm chaw nyob thiab chaw nres nkoj uas yooj yim sib piv). Piv txwv li, rau cov txheej txheem "whitelist" uas nws cov ntsiab lus yog qhov txuas, qhia qhov "ib ntus" chij yuav qhia tau tias cov txheej txheem tuaj yeem suav nrog ntau yam hauv cov ntawv txuas (rau cov ntawv txuas "ipv4_addr. ipv4_addr. inet_service" yav dhau los tuaj yeem sau npe. qhov sib tw ntawm daim ntawv "192.168.10.35. 192.68.11.123", thiab tam sim no koj tuaj yeem qhia cov pab pawg ntawm qhov chaw nyob "80-192.168.10.35-192.168.10.40."

    rooj ip foo {
    teem whitelist {
    ntaus ipv4_addr. ipv4_addr. ib_service
    chij ntu ntu
    cov = { 192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125. 80}
    }

    chain bar {
    hom lim nuv prerouting qhov tseem ceeb lim; txoj cai poob;
    ip siab. ip dab. tcp dport @whitelist txais
    }
    }

  • Hauv cov ntawv teev npe thiab daim ntawv qhia, nws tuaj yeem siv "typeof" cov lus qhia, uas txiav txim siab hom ntawm lub caij thaum sib xws.
    Piv txwv li:

    rooj ip foo {
    teem whitelist {
    typeof ip saddr
    cov = 192.168.10.35, 192.168.10.101, 192.168.10.135 }
    }

    chain bar {
    hom lim nuv prerouting qhov tseem ceeb lim; txoj cai poob;
    ip daddr @whitelist txais
    }
    }

    rooj ip foo {
    map addr2mark {
    typeof ip saddr : meta mark
    cov = 192.168.10.35 : 0x00000001, 192.168.10.135 : 0x00000002 }
    }
    }

  • Ntxiv lub peev xwm los siv kev koom nrog hauv NAT bindings, uas tso cai rau koj los qhia qhov chaw nyob thiab chaw nres nkoj thaum txiav txim siab NAT hloov pauv raws li daim ntawv teev npe lossis cov npe teev npe:

    nft ntxiv txoj cai ip nat pre dnat ip addr . chaw nres nkoj rau ip saddr daim ntawv qhia { 1.1.1.1 : 2.2.2.2 . peb caug }

    nft ntxiv daim ntawv qhia ip nat destinations { hom ipv4_addr . inet_service: ipv4_addr. inet_service \\; }
    nft ntxiv txoj cai ip nat pre dnat ip addr . chaw nres nkoj rau ip saddr. tcp dport map @destinations

  • Kev them nyiaj yug rau kho vajtse acceleration nrog qee qhov kev lim dej ua los ntawm daim npav network. Kev nrawm yog qhib los ntawm ethtool utility ("ethtool -K eth0 hw-tc-offload on"), tom qab uas nws tau qhib rau hauv nftables rau cov saw tseem ceeb siv tus chij "offload". Thaum siv Linux kernel 5.6, kho vajtse acceleration yog txhawb rau header teb txuam thiab nkag interface soj ntsuam nyob rau hauv ua ke nrog nrog tau txais, pov tseg, duplicating (dup), thiab xa mus (fwd) pob ntawv. Hauv qhov piv txwv hauv qab no, kev ua haujlwm ntawm kev xa cov pob ntawv los ntawm qhov chaw nyob 192.168.30.20 tau ua nyob rau theem network card, yam tsis tau hla cov pob ntawv mus rau kernel:

    # cat file.nft
    table netdev x {
    saw y {
    hom lim nuv ingress ntaus ntawv eth0 qhov tseem ceeb 10; chij offload;
    ip saddr 192.168.30.20 poob
    }
    }
    #nft -f file.nft

  • Txhim kho cov ntaub ntawv hais txog qhov chaw ntawm qhov yuam kev hauv cov cai.

    # nft rho tawm txoj cai ip yz kov 7
    Yuam kev: Tsis tuaj yeem ua txoj cai: Tsis muaj cov ntaub ntawv lossis cov ntawv teev npe
    rho tawm txoj cai ip yz kov 7
    ^

    #nft rho tawm txoj cai ip xx kov 7
    Yuam kev: Tsis tuaj yeem ua txoj cai: Tsis muaj cov ntaub ntawv lossis cov ntawv teev npe
    rho tawm txoj cai ip xx tuav 7
    ^

    # nft delete rooj twst
    yuam kev: Tsis muaj cov ntaub ntawv lossis cov npe; koj puas tau txhais lub rooj Γ’β‚¬Λœtest' hauv tsev neeg ip?
    delete table twst
    ^^^^

    Thawj qhov piv txwv qhia tau hais tias lub rooj "y" tsis nyob hauv qhov system, qhov thib ob uas tus "7" handler ploj lawm, thiab qhov thib peb uas typo prompt tau tshwm sim thaum ntaus lub npe lub rooj.

  • Ntxiv kev txhawb nqa rau kev txheeb xyuas tus qhev cuam tshuam los ntawm kev qhia "meta sdif" lossis "meta sdifname":

    ... meta sdifname vrf1 ...

  • Ntxiv kev txhawb nqa rau txoj cai lossis sab laug ua haujlwm. Piv txwv li, txhawm rau hloov cov pob ntawv uas twb muaj lawm sab laug los ntawm 1 ntsis thiab teeb me ntsis rau 1:

    … meta mark teem meta mark lshift 1 lossis 0x1…

  • Siv "-V" kev xaiv los tso saib cov ntaub ntawv txuas ntxiv.

    #nft -V
    nftables v0.9.4 (Jive at Tsib)
    cli: nyeem ntawv
    json: yog
    miv: no
    libxtables: yog

  • Cov kev xaiv kab hais kom ua tam sim no yuav tsum tau teev ua ntej cov lus txib. Piv txwv li, koj yuav tsum tau hais kom meej "nft -a daim ntawv teev cov cai", thiab khiav "nft list ruleset -a" yuav ua rau muaj qhov yuam kev.

    Tau qhov twg los: opennet.ru

Ntxiv ib saib