Kev tso tawm ntawm pob ntawv lim nftables 0.9.9 tau tshaj tawm, kev sib koom ua ke pob ntawv lim dej cuam tshuam rau IPv4, IPv6, ARP thiab cov txuas txuas hauv network (lub hom phiaj ntawm kev hloov iptables, ip6table, arptables thiab ebtables). Nyob rau tib lub sijhawm, kev tso tawm ntawm tus khub tsev qiv ntawv libnftnl 1.2.0 tau luam tawm, muab API qib qis rau kev cuam tshuam nrog nf_tables subsystem. Cov kev hloov pauv xav tau rau nftables 0.9.9 tso tawm ua haujlwm tau suav nrog hauv Linux ntsiav 5.13-rc1.
Cov pob nftables suav nrog cov pob ntawv lim cov khoom siv uas khiav hauv cov neeg siv qhov chaw, thaum lub kernel qib yog muab los ntawm nf_tables subsystem, uas yog ib feem ntawm Linux ntsiav txij li tso tawm 3.13. Nyob rau hauv lub kernel theem, tsuas yog ib tug generic raws tu qauv-yooj yim interface yog muab uas muab lub luag hauj lwm yooj yim rau rho tawm cov ntaub ntawv los ntawm pob ntawv, ua hauj lwm rau cov ntaub ntawv, thiab tswj ndlwg.
Cov kev lim dej lawv tus kheej thiab cov neeg ua haujlwm tshwj xeeb tau muab tso ua ke rau hauv cov neeg siv-chaw bytecode, tom qab ntawd cov bytecode no tau thauj mus rau hauv cov ntsiav siv Netlink interface thiab raug tua hauv cov ntsiav hauv lub tshuab virtual tshwj xeeb zoo li BPF (Berkeley Packet Filters). Txoj hauv kev no ua rau nws muaj peev xwm txo qis qhov loj ntawm cov lim dej uas khiav ntawm qib ntsiav thiab txav tag nrho cov haujlwm ntawm parsing cov cai thiab cov laj thawj ntawm kev ua haujlwm nrog cov txheej txheem rau hauv cov neeg siv qhov chaw.
Main innovations:
- Lub peev xwm txav flowtable ua rau lub network adapter sab tau ua tiav, ua haujlwm siv tus chij 'offload'. Flowtable yog ib lub tswv yim rau kev txhim kho txoj hauv kev ntawm pob ntawv redirection, nyob rau hauv uas qhov ua tiav ntawm tag nrho cov txheej txheem txheej txheem chains tsuas yog siv rau thawj pob ntawv, thiab tag nrho lwm cov pob ntawv hauv cov ntws tau xa ncaj qha. rooj ip ntiaj teb no { flowtable f { nuv ingress qhov tseem ceeb lim + 1 cov khoom siv = {lan3, lan0, wan } chij offload } saw rau pem hauv ntej { hom lim nuv rau pem hauv ntej qhov tseem ceeb lim; txoj cai txais; ip raws tu qauv {tcp, udp } ntws ntxiv @f } saw ncej { hom nat nuv postrouting qhov tseem ceeb lim; txoj cai txais; oifname "wan" masquerade } }
- Ntxiv kev txhawb nqa rau kev txuas tus tswv chij rau lub rooj kom paub meej tias siv lub rooj los ntawm tus txheej txheem. Thaum ib tug txheej txheem terminates, lub rooj txuam nrog nws yog txiav deleted. Cov ntaub ntawv hais txog tus txheej txheem yog tso tawm nyob rau hauv cov cai pov tseg nyob rau hauv daim ntawv ntawm ib tug saib: rooj ip x {# progname nft chij tus tswv saw y { hom lim nuv input qhov tseem ceeb lim; txoj cai txais; counter pob ntawv 1 bytes 309 } }
- Ntxiv kev txhawb nqa rau IEEE 802.1ad specification (VLAN stacking lossis QinQ), uas txhais tau hais tias hloov ntau VLAN cim npe rau hauv ib qho Ethernet thav duab. Piv txwv li, txhawm rau txheeb xyuas hom sab nraud Ethernet thav duab 8021ad thiab vlan id = 342, koj tuaj yeem siv kev tsim kho ... ether hom 802.1ad vlan id 342 txhawm rau txheeb xyuas hom sab nraud ntawm Ethernet ncej 8021ad / vlan id = 1, nested 802.1 q/vlan id=2 thiab ntxiv IP pob ntawv encapsulation: ... ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter
- Ntxiv kev txhawb nqa rau kev tswj cov peev txheej siv cov kev sib koom ua ke hierarchy cgroups v2. Qhov sib txawv tseem ceeb ntawm cgroups v2 thiab v1 yog kev siv cgroups hierarchy rau txhua hom kev pab, es tsis txhob cais hierarchies rau faib CPU cov peev txheej, rau kev tswj hwm kev nco, thiab rau I / O. Piv txwv li, txhawm rau txheeb xyuas seb tus poj koob yawm txwv ntawm lub qhov (socket) ntawm thawj qib cgroupv2 puas phim "system.slice" daim npog qhov ncauj, koj tuaj yeem siv qhov kev tsim kho: ... socket cgroupv2 qib 1 "system.slice"
- Ntxiv lub peev xwm los tshuaj xyuas cov khoom ntawm SCTP pob ntawv (qhov kev ua haujlwm xav tau rau qhov no yuav tshwm sim hauv Linux kernel 5.14). Piv txwv li, txhawm rau txheeb xyuas yog tias ib pob ntawv muaj cov chunk nrog hom 'cov ntaub ntawv' thiab teb 'hom': ... sctp chunk cov ntaub ntawv muaj ... sctp chunk cov ntaub ntawv hom 0
- Kev ua tiav ntawm txoj cai thauj khoom ua haujlwm tau nrawm los ntawm kwv yees li ob zaug siv tus chij "-f". Cov zis ntawm cov npe ntawm cov cai kuj tau nrawm dua.
- Ib daim ntawv cog lus rau kev tshuaj xyuas seb tus chij cov khoom puas raug muab. Piv txwv li, txhawm rau txheeb xyuas qhov snat thiab dnat cov xwm txheej tsis tau teeb tsa, koj tuaj yeem qhia meej: ... ct xwm txheej ! snat, dnat los xyuas tias cov syn ntsis yog teem rau hauv bitmask syn, ack: ... tcp chij syn / syn, ack los xyuas tias cov fin thiab rst cov khoom tsis tau teeb tsa hauv bitmask syn, ack, fin, rst: ... tcp chij ! = fin, rst / syn, ack, fin, rst
- Tso cai "kev txiav txim" lo lus tseem ceeb hauv teeb / daim ntawv qhia hom lus txhais: ntxiv daim ntawv qhia xm { typeof iifname . ip raws tu qauv th dport: kev txiav txim;}
Tau qhov twg los: opennet.ru