ProHoster > Блог > xov xwm hauv internet > nftables pob ntawv lim 1.0.0 tso tawm

nftables pob ntawv lim 1.0.0 tso tawm

Kev tso tawm ntawm pob ntawv lim nftables 1.0.0 tau tshaj tawm, sib sau ua ke pob ntawv lim dej sib cuam tshuam rau IPv4, IPv6, ARP thiab cov txuas txuas hauv network (lub hom phiaj ntawm kev hloov iptables, ip6table, arptables thiab ebtables). Cov kev hloov pauv xav tau rau nftables 1.0.0 tso tawm ua haujlwm tau suav nrog hauv Linux 5.13 kernel. Ib qho kev hloov pauv tseem ceeb hauv tus lej version tsis cuam tshuam nrog cov kev hloov pauv tseem ceeb, tab sis tsuas yog qhov tshwm sim ntawm qhov txuas ntxiv ntawm tus lej hauv cov lej lej (qhov kev tso tawm dhau los yog 0.9.9).

Cov pob nftables suav nrog cov pob ntawv lim cov khoom siv uas khiav hauv cov neeg siv qhov chaw, thaum lub kernel qib yog muab los ntawm nf_tables subsystem, uas yog ib feem ntawm Linux ntsiav txij li tso tawm 3.13. Nyob rau hauv lub kernel theem, tsuas yog ib tug generic raws tu qauv-yooj yim interface yog muab uas muab lub luag hauj lwm yooj yim rau rho tawm cov ntaub ntawv los ntawm pob ntawv, ua hauj lwm rau cov ntaub ntawv, thiab tswj ndlwg.

Cov cai lim dej lawv tus kheej thiab cov neeg ua haujlwm tshwj xeeb raws li cov txheej txheem tau muab tso ua ke rau hauv bytecode hauv qhov chaw neeg siv, tom qab ntawd bytecode no tau thauj mus rau hauv lub kernel siv Netlink interface thiab ua tiav hauv lub kernel hauv ib qho tshwj xeeb tshuab virtual, zoo li BPF (Berkeley Packet Filters). Txoj hauv kev no tso cai rau kev txo qis qhov loj ntawm cov lej lim dej khiav ntawm theem kernel thiab txav txhua txoj cai parsing thiab protocol logic mus rau hauv qhov chaw neeg siv.

Main innovations:

  • Kev them nyiaj yug rau "*" lub npog ntsej muag tau ntxiv rau cov npe teev, uas tau tshwm sim rau txhua pob khoom uas tsis poob rau hauv lwm cov ntsiab lus uas tau teev tseg hauv cov txheej txheem. rooj x { daim ntawv qhia blocklist { hom ipv4_addr : kev txiav txim chij ntu ntu = { 192.168.0.0/16 : txais, 10.0.0.0/8 : txais, * : poob } } saw y { hom lim nuv prerouting qhov tseem ceeb 0; txoj cai txais; ip saddr vmap @blocklist } }
  • Nws muaj peev xwm los txhais cov kev hloov pauv los ntawm kab hais kom ua siv qhov "--define" kev xaiv. # cat test.nft rooj netdev x { saw y { hom lim nuv ingress li = $dev qhov tseem ceeb 0; txoj cai poob; } } # nft —define dev="{ eth0, eth1 }" -f test.nft
  • Hauv daim ntawv teev npe, kev siv cov lus tsis tu ncua (xeev) raug tso cai: rooj inet lim { daim ntawv qhia chaw nres nkoj { hom inet_service : kev txiav txim cov ntsiab lus = { 22 cov ntawv ntim khoom 0 bytes 0 : dhia ssh_input, * txee pob ntawv 0 bytes 0 : poob } } saw ssh_input { } saw wan_input { tcp dport vmap @portmap } saw prerouting { hom lim nuv prerouting qhov tseem ceeb raw; txoj cai txais; iif vmap { "lo" : dhia wan_input } } }
  • Ntxiv "cov npe hooks" hais kom ua kom pom cov npe ntawm cov neeg ua haujlwm rau tsev neeg pob khoom: # nft daim ntawv teev hooks ip ntaus ntawv eth0 tsev neeg ip { nuv ingress { +0000000010 saw netdev xy [nf_tables] +0000000300 chain inet mw [nf_tables] } { -0000000100 chain ip ab [nf_tables] +0000000300 chain inet mz [nf_tables] } nuv rau pem hauv ntej { -0000000225 selinux_ipv4_forward 0000000000 chain ip ac [nf_tables 0000000225] 4 ipv0000000225_output } nuv postrouting { +4 XNUMX selinux_ipvXNUMX_postroute } }
  • Queue blocks tso cai rau jhash, symhash, thiab numgen kab lus ua ke los faib cov pob ntawv rau cov kab hauv cov neeg siv qhov chaw. … queue rau symhash mod 65536 … queue chij bypass rau numgen inc mod 65536 … queue rau jhash oif . meta mark mod 32 "queue" kuj tuaj yeem ua ke nrog cov npe hauv daim ntawv qhia kom xaiv ib kab hauv cov neeg siv qhov chaw raws li cov yuam sij arbitrary. ... queue chij bypass rau oifname daim ntawv qhia { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }
  • Nws muaj peev xwm nthuav dav qhov sib txawv uas suav nrog cov npe teev rau hauv ntau daim duab qhia. txhais interfaces = {eth0, eth1 } rooj ip x { saw y { hom lim nuv input qhov tseem ceeb 0; txoj cai txais; iifname vmap { lo : txais, $interfaces : poob } } } # nft -f x.nft # nft daim ntawv teev cov lus teev ip x { saw y { hom lim nuv input qhov tseem ceeb 0; txoj cai txais; iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop } } }
  • Kev sib xyaw vmaps ( daim ntawv txiav txim txiav txim) ntawm lub sijhawm tau tso cai: # nft ntxiv txoj cai xy tcp dport . ip saddr vmap { 1025-65535 . 192.168.10.2 : txais }
  • Cov syntax ntawm NAT mappings tau yooj yim dua. Kev qhia meej qhov chaw nyob tam sim no tau tso cai: ... snat rau ip saddr daim ntawv qhia { 10.141.11.4 : 192.168.2.2-192.168.2.4 } lossis cov uas qhia meej Cov chaw nyob IP thiab cov chaw nres nkoj: ... dnat rau ip saddr daim ntawv qhia {10.141.11.4: 192.168.2.3. 80} lossis kev sib xyaw ua ke ntawm IP ntau yam thiab cov chaw nres nkoj: ... dnat rau ip saddr. tcp dport daim ntawv qhia {192.168.1.2. 80: 10.141.10.2-10.141.10.5. 8888-8999}

Tau qhov twg los: opennet.ru