ProHoster > Блог > xov xwm hauv internet > nftables pob ntawv lim 0.9.9 tso tawm

nftables pob ntawv lim 0.9.9 tso tawm

Lub nftables 0.9.9 packet filter tau tso tawm lawm. Nws koom ua ke cov packet filtering interfaces rau IPv4, IPv6, ARP, thiab network bridges (tsom rau kev hloov iptables, ip6table, arptables, thiab ebtables). Lub libnftnl 1.2.0 tsev qiv ntawv uas nrog nws, uas muab API qib qis rau kev sib cuam tshuam nrog nf_tables subsystem, tau tso tawm tib lub sijhawm. Cov kev hloov pauv uas xav tau rau nftables 0.9.9 tau raug suav nrog rau hauv lub kernel. Linux 5.13-rc1.

Lub pob nftables muaj cov khoom lim pob ntawv uas ua haujlwm hauv qhov chaw neeg siv, thaum ua haujlwm kernel-level yog muab los ntawm nf_tables subsystem, uas yog ib feem ntawm lub kernel. Linux Txij li thaum tso tawm 3.13, tsuas yog ib qho generic protocol-independent interface muab rau ntawm theem kernel, muab cov haujlwm yooj yim rau kev rho tawm cov ntaub ntawv los ntawm cov pob ntawv, ua cov haujlwm ntaub ntawv, thiab kev tswj hwm kev ntws.

Cov cai lim dej lawv tus kheej thiab cov neeg ua haujlwm tshwj xeeb raws li cov txheej txheem tau muab tso ua ke rau hauv bytecode hauv qhov chaw neeg siv, tom qab ntawd bytecode no tau thauj mus rau hauv lub kernel siv Netlink interface thiab ua tiav hauv lub kernel hauv ib qho tshwj xeeb tshuab virtual, zoo li BPF (Berkeley Packet Filters). Txoj hauv kev no tso cai rau kev txo qis qhov loj ntawm cov lej lim dej khiav ntawm theem kernel thiab txav txhua txoj cai parsing thiab protocol logic mus rau hauv qhov chaw neeg siv.

Main innovations:

  • Lub peev xwm txav flowtable ua rau lub network adapter sab tau ua tiav, ua haujlwm siv tus chij 'offload'. Flowtable yog ib lub tswv yim rau kev txhim kho txoj hauv kev ntawm pob ntawv redirection, nyob rau hauv uas qhov ua tiav ntawm tag nrho cov txheej txheem txheej txheem chains tsuas yog siv rau thawj pob ntawv, thiab tag nrho lwm cov pob ntawv hauv cov ntws tau xa ncaj qha. rooj ip ntiaj teb no { flowtable f { nuv ingress qhov tseem ceeb lim + 1 cov khoom siv = {lan3, lan0, wan } chij offload } saw rau pem hauv ntej { hom lim nuv rau pem hauv ntej qhov tseem ceeb lim; txoj cai txais; ip raws tu qauv {tcp, udp } ntws ntxiv @f } saw ncej { hom nat nuv postrouting qhov tseem ceeb lim; txoj cai txais; oifname "wan" masquerade } }
  • Ntxiv kev txhawb nqa rau kev txuas tus tswv chij rau lub rooj kom paub meej tias siv lub rooj los ntawm tus txheej txheem. Thaum ib tug txheej txheem terminates, lub rooj txuam nrog nws yog txiav deleted. Cov ntaub ntawv hais txog tus txheej txheem yog tso tawm nyob rau hauv cov cai pov tseg nyob rau hauv daim ntawv ntawm ib tug saib: rooj ip x {# progname nft chij tus tswv saw y { hom lim nuv input qhov tseem ceeb lim; txoj cai txais; counter pob ntawv 1 bytes 309 } }
  • Ntxiv kev txhawb nqa rau IEEE 802.1ad specification (VLAN stacking lossis QinQ), uas txhais tau hais tias hloov ntau VLAN cim npe rau hauv ib qho Ethernet thav duab. Piv txwv li, txhawm rau txheeb xyuas hom sab nraud Ethernet thav duab 8021ad thiab vlan id = 342, koj tuaj yeem siv kev tsim kho ... ether hom 802.1ad vlan id 342 txhawm rau txheeb xyuas hom sab nraud ntawm Ethernet ncej 8021ad / vlan id = 1, nested 802.1 q/vlan id=2 thiab ntxiv IP pob ntawv encapsulation: ... ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter
  • Ntxiv kev txhawb nqa rau kev tswj cov peev txheej siv cov kev sib koom ua ke hierarchy cgroups v2. Qhov sib txawv tseem ceeb ntawm cgroups v2 thiab v1 yog kev siv cgroups hierarchy rau txhua hom kev pab, es tsis txhob cais hierarchies rau faib CPU cov peev txheej, rau kev tswj hwm kev nco, thiab rau I / O. Piv txwv li, txhawm rau txheeb xyuas seb tus poj koob yawm txwv ntawm lub qhov (socket) ntawm thawj qib cgroupv2 puas phim "system.slice" daim npog qhov ncauj, koj tuaj yeem siv qhov kev tsim kho: ... socket cgroupv2 qib 1 "system.slice"
  • Ntxiv lub peev xwm los xyuas cov khoom ntawm SCTP pob ntawv (qhov kev ua haujlwm uas xav tau rau kev ua haujlwm yuav tshwm sim hauv lub kernel) Linux 5.14). Piv txwv li, los xyuas seb ib pob ntawv puas muaj ib lub chunk nrog hom 'data' thiab daim teb 'type': … sctp chunk data muaj nyob … sctp chunk data type 0
  • Kev ua tiav ntawm txoj cai thauj khoom ua haujlwm tau nrawm los ntawm kwv yees li ob zaug siv tus chij "-f". Cov zis ntawm cov npe ntawm cov cai kuj tau nrawm dua.
  • Ib daim ntawv cog lus rau kev tshuaj xyuas seb tus chij cov khoom puas raug muab. Piv txwv li, txhawm rau txheeb xyuas qhov snat thiab dnat cov xwm txheej tsis tau teeb tsa, koj tuaj yeem qhia meej: ... ct xwm txheej ! snat, dnat los xyuas tias cov syn ntsis yog teem rau hauv bitmask syn, ack: ... tcp chij syn / syn, ack los xyuas tias cov fin thiab rst cov khoom tsis tau teeb tsa hauv bitmask syn, ack, fin, rst: ... tcp chij ! = fin, rst / syn, ack, fin, rst
  • Tso cai "kev txiav txim" lo lus tseem ceeb hauv teeb / daim ntawv qhia hom lus txhais: ntxiv daim ntawv qhia xm { typeof iifname . ip raws tu qauv th dport: kev txiav txim;}

Tau qhov twg los: opennet.ru

Yuav txhim khu kev qha hosting rau cov chaw nrog DDoS tiv thaiv, VPS VDS servers 🔥 Yuav lub vev xaib hosting txhim khu kev qha nrog kev tiv thaiv DDoS, VPS VDS servers | ProHoster